+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 35
Scripts Thread, Powershell 2: If [piped string] does not contain X, drop. If it does, pipe out. in Coding and Web Development; I'm right in thinking that '$array +=' means "Add the data to this array" rather than "This is a definitive ...
  1. #16


    Join Date
    Jan 2012
    Posts
    2,586
    Thank Post
    928
    Thanked 344 Times in 264 Posts
    Rep Power
    207
    I'm right in thinking that '$array +=' means "Add the data to this array" rather than "This is a definitive allocation of that array's contents" (which would remove all current contents)
    Therefore doing it your suggested way, @pcstru, $fulllogs would still be one item rather than multiple, but that wouldn't actually matter because it would only contain the filtered logs?

    Edit: Aha, half-working. It's only pulling back the winlogon events now, but still including the text I wanted stripping out. Whilst not strictly a requirement, it would be helpful.
    Edit: Aha, got it!
    Code:
    foreach ($event in $events){
         if ($event.message.contains("C:\Windows\System32\winlogon.exe")){ 
    	 	# Combine each message with its relevant timestamp, strip out junk data.
         	$fulllogs += ([string]"----------" + $event.timecreated + "----------`r`n" + $event.message + "`r`n" -replace [string]"(?s)Detailed.*key was requested.", "---------- Event message end ----------`r`n`r`n")
    		$count = ([int]$count + 1)
    	}
    }
    Last edited by Garacesh; 19th September 2013 at 01:01 PM.

  2. #17


    Join Date
    May 2009
    Posts
    2,945
    Thank Post
    259
    Thanked 775 Times in 590 Posts
    Rep Power
    285
    Quote Originally Posted by Garacesh View Post
    I'm right in thinking that '$array +=' means "Add the data to this array" rather than "This is a definitive allocation of that array's contents" (which would remove all current contents)
    I think += mostly means add to/append. It rather depends what is being added to what as to how it will actually behave. Fulllog is a string so that's what will happen. events is a (pointer to) a collection of objects - not quite the same thing as an array (in that a collection of objects could be described as an array but an array is not a collection of objects!).

    Therefore doing it your suggested way, @pcstru, $fulllogs would still be one item rather than multiple, but that wouldn't actually matter because it would only contain the filtered logs?
    Yes. If that's what you want as an output.

  3. #18


    Join Date
    Jan 2012
    Posts
    2,586
    Thank Post
    928
    Thanked 344 Times in 264 Posts
    Rep Power
    207
    Quote Originally Posted by pcstru View Post
    I think += mostly means add to/append. It rather depends what is being added to what as to how it will actually behave. Fulllog is a string so that's what will happen. events is a (pointer to) a collection of objects - not quite the same thing as an array (in that a collection of objects could be described as an array but an array is not a collection of objects!).
    Ah. Muhbad. Thanks for the clarification.

    I was having a little difficulty but figured it out pretty much right as you posted (see 2 posts up). My log output is now timestamped. Woo!
    Now.. Do I attempt a further 'upgrade' or be happy it works again, count my blessings, and leave it as it is? xD

  4. #19


    Join Date
    May 2009
    Posts
    2,945
    Thank Post
    259
    Thanked 775 Times in 590 Posts
    Rep Power
    285
    See if you can follow this compaction of the main logic.
    Code:
    # Query eventlog of $fqdn, return $me instances of Microsoft Windows Security Auditing logs with ID of 4624 (Logon). Create array.
    foreach ($event in Get-WinEvent -ComputerName "$fqdn" -FilterHashtable @{ProviderName="Microsoft-Windows-Security-Auditing"; ID="4624" } -MaxEvents $me  | where {$_.message.contains("C:\Windows\System32\winlogon.exe")}) {
       $log+=$event.message
    }
    $log | out-file c:\temp\temp.txt

  5. #20


    Join Date
    Jan 2012
    Posts
    2,586
    Thank Post
    928
    Thanked 344 Times in 264 Posts
    Rep Power
    207
    Query event log of $fqdn for $me instances of logs created by Microsoft-Windows-Security-Auditing with the event ID of 4624. Check each ($_) 'message' as defined by Get-WinEvent's results, if it contains the string "C:\Windows\System32\winlogon.exe", add it to $log (since multiple events may match, += keeps all current data of $log intact). (if not, do nothing)

    Write the contents of $log to C:\temp\temp.txt.

    Edit: Which means I don't need to create $events, do I?
    This ought to work? (time to test!)
    Code:
    {
    (Get-WinEvent -ComputerName "$fqdn" -FilterHashtable @{ProviderName="Microsoft-Windows-Security-Auditing"; ID="4624"} -MaxEvents $me) |
    	where ($_.message.contains("C:\Windows\System32\winlogon.exe")){ 
    	 	$fulllogs += ([string]"----------" + $event.timecreated + "----------`r`n" + $event.message + "`r`n" -replace [string]"(?s)Detailed.*key was requested.", "---------- Event message end ----------`r`n`r`n")
    		$count = ([int]$count + 1)
    	}
    }
    Edit: It does not It echos (or is it prints? No, that's Python.. I think? I don't really know what the term is for Powershell) the command and immediately opens the txt file with zero results.
    Last edited by Garacesh; 19th September 2013 at 01:26 PM.

  6. #21

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,091
    Thank Post
    403
    Thanked 310 Times in 262 Posts
    Rep Power
    152
    @Garacesh - If you get this going would you mind posting the entire script?

  7. #22


    Join Date
    May 2009
    Posts
    2,945
    Thank Post
    259
    Thanked 775 Times in 590 Posts
    Rep Power
    285
    Quote Originally Posted by Garacesh View Post
    Edit: It does not It echos (or is it prints? No, that's Python.. I think? I don't really know what the term is for Powershell) the command and immediately opens the txt file with zero results.
    You do need to iterate through the collection returned from the Get-WinEvent pipeline. Personally I think there is always a compromise between compactness and readability.

    Code:
    $fqdn="computer.domain.local"
    $me=100
    
    $count=0
    $fulllog=""
    
    # Query eventlog of $fqdn, return $me instances of Microsoft Windows Security Auditing logs with ID of 4624 (Logon). 
    foreach ($event in Get-WinEvent -ComputerName "$fqdn" -FilterHashtable @{ProviderName="Microsoft-Windows-Security-Auditing"; ID="4624" } -MaxEvents $me  | where {$_.message.contains("C:\Windows\System32\winlogon.exe")}) {
       $fulllog += ([string]"----------" + $event.timecreated + "----------`r`n" + $event.message + "`r`n" -replace [string]"(?s)Detailed.*key was requested.", "---------- Event message end ----------`r`n`r`n")
       $count++   
    }
    Write-Host "$count events logged"
    $fulllog | out-file c:\temp\temp.txt

  8. #23


    Join Date
    Jan 2012
    Posts
    2,586
    Thank Post
    928
    Thanked 344 Times in 264 Posts
    Rep Power
    207
    @pcstru I was close! I just missed out the '$event in' and got some of my brackets mixed up.
    @fiza Of course! It's working right now minus a few glitches, but I can throw it up right now if you'd like? Current problems are:
    • It needs to be run in Powershell v2 because Get-WinEvent doesn't return messages in Powershell 3
    • Timestamps are American (MM/DD/YYYY)
    • You may have to parse way more records than you actually want returning to offset for Service/lsass/other logons that aren't 'actual' logons. (In my case, 150 events brings back 1-4 'actual' logons)

  9. #24
    pleach85's Avatar
    Join Date
    Jan 2011
    Posts
    22
    Thank Post
    3
    Thanked 6 Times in 6 Posts
    Rep Power
    9
    To solve the last problem in your list you can use

    Code:
    Get-WinEvent -ComputerName "$fqdn" -FilterHashtable @{ProviderName="Microsoft-Windows-Security-Auditing"; ID="4624"; Data="C:\Windows\System32\winlogon.exe" } -MaxEvents $me
    instead of

    Code:
    Get-WinEvent -ComputerName "$fqdn" -FilterHashtable @{ProviderName="Microsoft-Windows-Security-Auditing"; ID="4624" } -MaxEvents $me  | where {$_.message.contains("C:\Windows\System32\winlogon.exe")}
    By having Data="C:\Windows\System32\winlogon.exe" in the -filterhashtable it will only return events with "C:\Windows\System32\winlogon.exe" in them, therefore the whole

    | where {$_.message.contains("C:\Windows\System32\winlogon .exe")}

    is no longer needed and $me can be the total number of proper logon events you want returning. Speeds up the code too as powershell does not need to parse each event looking for "C:\Windows\System32\winlogon.exe".

  10. Thanks to pleach85 from:

    pcstru (19th September 2013)

  11. #25


    Join Date
    May 2009
    Posts
    2,945
    Thank Post
    259
    Thanked 775 Times in 590 Posts
    Rep Power
    285
    @pleach85 - excellent.

  12. #26


    Join Date
    Jan 2012
    Posts
    2,586
    Thank Post
    928
    Thanked 344 Times in 264 Posts
    Rep Power
    207
    I tried using Data in an earlier iteration of my code. It didn't work.
    Just retried it now, and it worked. Though I'm positive I used it in the HashTable.. I figured it was down to me using PSv2 not PSv3.. Or maybe I just did something wrong..
    Either way, thank you very much - that's considerably sped it up!

  13. #27


    Join Date
    May 2009
    Posts
    2,945
    Thank Post
    259
    Thanked 775 Times in 590 Posts
    Rep Power
    285
    I'd like to parse the users account name out of the message for which I've tried

    $acc=select-string -InputObject ($t) -pattern "Account Name:[\t]*[A-Za-z0-9]*\.[A-Za-z0-9]*"

    This works on the final file but not the message. I'm obviously assuming something that's not right - anyone know what?

  14. #28


    Join Date
    Jan 2012
    Posts
    2,586
    Thank Post
    928
    Thanked 344 Times in 264 Posts
    Rep Power
    207
    'Works on the final file, but not the message'?
    Do you mean if you attach it to Get-WinEvent it doesn't work, but if you 'Get-Content | $Logfile | $acc = [...]' it works?

  15. #29


    Join Date
    May 2009
    Posts
    2,945
    Thank Post
    259
    Thanked 775 Times in 590 Posts
    Rep Power
    285
    Assuming I named the fulllogfile c:\temp.txt

    select-string c:\temp.txt -pattern "Account Name:[\t]*[A-Za-z0-9]*\.[A-Za-z0-9]*"

    Finds the account names (all ours have a dot in them).

    Whereas in the foreach loop

    $acc=select-string -InputObject $event.message -pattern "Account Name:[\t]*[A-Za-z0-9]*\.[A-Za-z0-9]*"

    Does not work - it spits the whole message back. I suspect it's to do with line breaks and out-file is applying some default translation to the fulllog string whereas the string itself is just one 'line'.

  16. #30


    Join Date
    Jan 2012
    Posts
    2,586
    Thank Post
    928
    Thanked 344 Times in 264 Posts
    Rep Power
    207
    Well, with -replace "(?s) string" makes it work across multiple lines. Perhaps something similar is needed?
    What's the significance of [\t]? I'm assuming [A-Za-z0-9] means 'only characters A to Z, a to z and 0 to 9 are allowed'

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Looking for PHP blog script which does not require database
    By ajbritton in forum Web Development
    Replies: 10
    Last Post: 9th December 2010, 07:50 AM
  2. [Pics] But What Happens If This Windows 'Does Not Respond?'
    By DaveP in forum Jokes/Interweb Things
    Replies: 3
    Last Post: 1st December 2010, 11:00 AM
  3. SIMS .net does not fully support Open Office
    By mark in forum MIS Systems
    Replies: 24
    Last Post: 28th March 2008, 09:57 AM
  4. Replies: 10
    Last Post: 30th August 2007, 10:52 AM
  5. My domain does not exist?
    By Irazmus in forum Windows
    Replies: 17
    Last Post: 4th October 2006, 02:55 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •