Windows 事件日志进行搜索的更好方法的解决方案。使用 Out-GridView,但如果需要,您可以使用 -raw 并导出到 csv/xls。也有原始搜索功能。
代码语言:javascript复制function Search-Event {
Param(
[Parameter(Mandatory=$False)]
[string]$search="*",
[Parameter(Mandatory=$False)]
[string]$field=$null,
[Parameter(Mandatory=$False)]
[string]$value=$null,
[Parameter(Mandatory=$False)]
[int]$eventid=$null,
[Parameter(Mandatory=$False)]
[string]$logname,
[Parameter(Mandatory=$False)]
[datetime]$starttime,
[Parameter(Mandatory=$False)]
[datetime]$endtime,
[Parameter(Mandatory=$False)]
[switch]$raw=$False
)
$filter = @{
logname=$logname;
}
if($eventid) {
$filter['id'] = $eventid
}
if($starttime) {
$filter['StartTime'] = $starttime
}
if($endtime) {
$filter['EndTime'] = $starttime
}
$events = Get-WinEvent -FilterHashtable $filter -ErrorAction Continue | Where-Object { $_.Message -like "*$search*" }
if($events.Length -gt 0) {
[xml[]]$xmlevents = $events | % { $_.ToXml() }
[PSCustomObject[]]$results = $null
ForEach($xmlevent in $xmlevents) {
$eventData = $xmlevent.Event.EventData.Data
$row = [PSCustomObject][ordered] @{
TimeCreated=(get-date -date $xmlevent.Event.System.TimeCreated.SystemTime).ToString("MM/dd/yyyy hh:mm:ss tt")
Id = $xmlevent.Event.System.EventId
}
foreach($ed in $eventData) {
$row | Add-Member -NotePropertyName $ed.Name -NotePropertyvalue $ed."#text"
}
$row | Add-Member -NotePropertyName "xmlEvent" -NotePropertyValue $xmlevent
$continue = $False
if($field -and $value) {
if($row.$field -like $value) {
$results = $row
}
}
else {
$results = $row
}
}
if($raw) {
$results
}
else {
$results | Out-GridView -Title "Search-Event Results"
}
}
else {
Write-Warning "No events were found that matched your search query."
}
}
非常适合威胁追踪和 DFIR。也适用于查找在命令行上传递的凭据。