我试图分析
Windows安全日志中的记录,并且在某些登录/注销事件中获取特定值时遇到一些困难.让我们看一个具体的例子 – 这是其中一个日志条目的XML.
- <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
- <System>
- <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/>
- <EventID>4634</EventID>
- <Version>0</Version>
- <Level>0</Level>
- <Task>12545</Task>
- <Opcode>0</Opcode>
- <Keywords>0x8020000000000000</Keywords>
- <TimeCreated SystemTime='2011-08-16T17:15:38.702857400Z'/>
- <EventRecordID>107947</EventRecordID>
- <Correlation/>
- <Execution ProcessID='680' ThreadID='972'/>
- <Channel>Security</Channel>
- <Computer>SRV1.DOMAIN.LOCAL</Computer><Security/>
- </System>
- <EventData>
- <Data Name='TargetUserSid'>S-1-5-21-963414502-3093649508-813756320-3274</Data>
- <Data Name='TargetUserName'>billgates</Data>
- <Data Name='TargetDomainName'>MYDOMAIN</Data>
- <Data Name='TargetlogonId'>0x1c01acc</Data>
- <Data Name='logonType'>10</Data>
- </EventData>
- </Event>
确保您的字符串是有效的XML(即将< / Event>添加到您上面发布的内容的末尾,然后将该字符串转换为XML:
- $xml = [xml]$yourStringHere
然后你可以像这样拉出TargetlogonId:
- $xml.Event.SelectSingleNode("//*[@Name='TargetlogonId']") | select -ExpandProperty '#text'
感谢Shay Levy和这篇文章:http://social.technet.microsoft.com/Forums/en/ITCG/thread/5aa133b0-ea69-4348-9bac-d028ba895024
