+ Post New Thread
Page 3 of 3 FirstFirst 123
Results 31 to 35 of 35
Scripts Thread, Powershell 2: If [piped string] does not contain X, drop. If it does, pipe out. in Coding and Web Development; Originally Posted by Garacesh Well, with -replace "(?s) string" makes it work across multiple lines. Perhaps something similar is needed? ...
  1. #31


    Join Date
    May 2009
    Posts
    2,908
    Thank Post
    259
    Thanked 770 Times in 585 Posts
    Rep Power
    270
    Quote Originally Posted by Garacesh View Post
    Well, with -replace "(?s) string" makes it work across multiple lines. Perhaps something similar is needed?
    What's the significance of [\t]? I'm assuming [A-Za-z0-9] means 'only characters A to Z, a to z and 0 to 9 are allowed'
    \t is a tab, so one or more tabs followed by a typical logon name firstname.surname.

  2. #32


    Join Date
    Jan 2012
    Posts
    2,568
    Thank Post
    920
    Thanked 341 Times in 262 Posts
    Rep Power
    206
    I thought `t was tab?

  3. #33


    Join Date
    May 2009
    Posts
    2,908
    Thank Post
    259
    Thanked 770 Times in 585 Posts
    Rep Power
    270
    In a regular expression, I don't think so. I've managed to just about do what I want :
    Code:
    $fqdn="<computer>.<domain>"
    $me=100
    
    $count=0
    $fulllog=""
    $ObjArr = @()
    
    # Query eventlog of $fqdn, return $me instances of Microsoft Windows Security Auditing logs with ID of 4624 (Logon). Create array.
    foreach ($event in Get-WinEvent -ComputerName "$fqdn" -FilterHashtable @{ProviderName="Microsoft-Windows-Security-Auditing"; ID="4624"; Data="C:\Windows\System32\winlogon.exe" } -MaxEvents $me ) {
    
       $Obj = New-Object System.object
       
       $c = $event.message | where { $_ -match "Account Name:[\t]*(?<username>[A-Za-z0-9]*\.[A-Za-z0-9]*)" } | foreach { $Obj | Add-Member -Type NoteProperty –name UserName -value $matches['username'] }
    
       $Obj | Add-Member –Type NoteProperty –name Time -value $($event.timecreated)     
       
       $ObjArr += $Obj    
       $count++   
       
    }
    Write-Host "$count events logged"
    $ObjArr | Export-CSV c:\temp\temp.csv
    But I obviously didn't figure out why select-string didn't work!

  4. #34


    Join Date
    Jan 2012
    Posts
    2,568
    Thank Post
    920
    Thanked 341 Times in 262 Posts
    Rep Power
    206
    Hmm. Well I honestly have no clue..
    Solving it without knowing the problem.. I think that would frustrate me more than not solving it at all!

    On a nicer note:
    Code:
    		$newtime = [regex]::split($event.timecreated, "/")
    		$newtime = ($newtime[1] + "/" + $newtime[0] + "/" + $newtime[2])
    Date's no longer in American

    So, that's problems 2 (date-time) and 3 (overparsing) sorted!
    Since I can't actually fix the fact that Get-WinEvent doesn't work properly in Powershell 3, I'm not sure what else I could do. I tried stripping out more of the information I don't need (since, realistically, I only need date, time and username), but then it just looks too 'alien' and not like an event log.. So I might just leave it as-is. I need a new project now.. What else do I do repeatedly..?
    Last edited by Garacesh; 20th September 2013 at 10:30 AM.

  5. #35


    Join Date
    Jan 2012
    Posts
    2,568
    Thank Post
    920
    Thanked 341 Times in 262 Posts
    Rep Power
    206
    Whoops! Sorry @fiza - here you go!

    Code:
    # Set name of remote machine to query, create fqdn reference.
    $cn = read-host "ComputerName?"
    $fqdn = ($cn + ".domain.local")
    # Set amount of logs to query. If returned null, sets to 4.
    $me = Read-Host "MaxEvents? (Default: 4)"
    if ($me -eq "") {($me = 4)}
    # Set log file name using $cn
    $logFile = "M:\" + $cn + "Log.txt"
    
    # Query eventlog of $fqdn, return $me instances of Microsoft Windows Security Auditing logs with ID of 4624 (Logon) containing the phrase C:\...\winlogon.exe
    foreach ($event in Get-WinEvent -ComputerName "$fqdn" -FilterHashtable @{ProviderName="Microsoft-Windows-Security-Auditing"; ID="4624"; Data="C:\Windows\System32\winlogon.exe"} -MaxEvents $me )
    	{ 	
    		# Change date format to DD/MM/YYYY
    		$newtime = [regex]::split($event.timecreated, "/")
    		$newtime = ($newtime[1] + "/" + $newtime[0] + "/" + $newtime[2])
    		# Take the timecreated and message values, strip out junk data and add to $fulllogs 
    		$fulllogs += ([string]"----------" + $newtime + "----------`r`n" + $event.message + "`r`n" -replace [string]"(?s)Detailed.*key was requested.", "---------- Event message end ----------`r`n`r`n")
    	}
    
    # Write $fulllogs to $logfile
    "Previous $me logon events for $fqdn `r`n`r`n $fulllogs" > $logFile
    # Open $Logfile. Wait for file to close before proceeding.
    Start-Process $logFile -wait
    # On file close, delete.
    Remove-Item $logFile
    You'll likely need to change how it generates $fqdn (line 3) and where $logfile is saved to (line 8), but there's the script.
    Remember, Powershell version 2!
    (cmd.exe
    > powershell -version 2)
    Last edited by Garacesh; 20th September 2013 at 01:52 PM.

  6. Thanks to Garacesh from:

    fiza (20th September 2013)

SHARE:
+ Post New Thread
Page 3 of 3 FirstFirst 123

Similar Threads

  1. Looking for PHP blog script which does not require database
    By ajbritton in forum Web Development
    Replies: 10
    Last Post: 9th December 2010, 07:50 AM
  2. [Pics] But What Happens If This Windows 'Does Not Respond?'
    By DaveP in forum Jokes/Interweb Things
    Replies: 3
    Last Post: 1st December 2010, 11:00 AM
  3. SIMS .net does not fully support Open Office
    By mark in forum MIS Systems
    Replies: 24
    Last Post: 28th March 2008, 09:57 AM
  4. Replies: 10
    Last Post: 30th August 2007, 10:52 AM
  5. My domain does not exist?
    By Irazmus in forum Windows
    Replies: 17
    Last Post: 4th October 2006, 02:55 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •