25.04.2018 07:48:41 An account was successfully logged on....
25.04.2018 07:48:40 An account was successfully logged on....
24.04.2018 18:18:17 An account was successfully logged on....
...
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a processin the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0if no session key was requested.
这个结果很难处理。如果您希望基于这段文本做一些自动化处理,您需要解析这段文本。
有一个简单得多的方法:您见到的消息只是一个文本模板,Windows 以“替换字符串”的方式插入相关的信息。他们是从 Get-0EventLog 接收到的事件数据的一部分。该数据存在一个数组中,整个数组对应一个事件 ID 的信息。
当您确定了哪个信息存放在哪个数组元素中,要解析出您关心的信息十分容易:
1 2 3 4 5 6 7 8 9 10
Get-EventLog-LogName Security -InstanceId4624 | ForEach-Object { # translate the raw data into a new object [PSCustomObject]@{ Time = $_.TimeGenerated User = "{0}\{1}"-f$_.ReplacementStrings[5], $_.ReplacementStrings[6] Type = $_.ReplacementStrings[10] Path = $_.ReplacementStrings[17] } }
