事件日志条目消息块检索值

Question

是否可以在事件日志条目的文本消息块中检索子字符串，而不是使用正则表达式？

这是文本块的样子：

Kerberos pre-authentication failed.

Account Information:
    Security ID:        HO\administrators$
    Account Name:       administrators$

Service Information:
    Service Name:       krbtgt/HO.FOSLTD.CO.ZA

Network Information:
    Client Address:     ::ffff:10.250.1.12
    Client Port:        51933

Additional Information:
    Ticket Options:     0x40000000
    Failure Code:       0x18
    Pre-Authentication Type:    2

我只想要下面右边的值：

Account Name 
Client Address, but with out the ::ffff:
Failure Code

我的这部分代码返回以下文本：

 $sSecurityID = $Item.SubString($Item.IndexOf("Account Information"))
 $sSecurityID = $sSecurityID.SubString($sSecurityID.IndexOf("Account Name"))
 $sSecurityID = $sSecurityID.TrimStart("Account Name:")
 $sSecurityID = $sSecurityID.Trim()

输出：

OrtheaE

Service Information:
    Service Name:       krbtgt/ho

Network Information:
    Client Address:     ::ffff:172.26.50.11
    Client Port:        20697

Additional Information:
    Ticket Options:     0x40810010
    Failure Code:       0x18
    Pre-Authentication Type:    2

Answer 1

您是如何提取日志数据的？您正在寻找在使用Get-WinEvent时不可用的ReplacementStrings字段。

​

get-eventlog -computername dc-01 -logname security | ?{$_.eventid -eq "4674"} | 
select machinename,eventid,@{n='AccountName';e={$_.ReplacementStrings[1]}},entrytype,message | 
convertto-html | out-file c:\test.html

​

然后，如果这些都不起作用，这肯定会起作用：

​

Get-EventLog "Security" -before 4/10/2013 -InstanceId 4663 | % {
    New-Object psobject -Property @{
        Index = $_.Index
        TimeGenerated = $_.TimeGenerated
        "Account Name" = $_.ReplacementStrings[1]
        "Object Type" = $_.ReplacementStrings[5]
        "Object Name" = $_.ReplacementStrings[6]
    }
} | export-csv c:\export.csv -NoTypeInformation

​

您将看到所有值都按照它们在文本中显示的顺序出现在ReplacementStrings中。该消息中的第一个变量是“安全ID"，因此它最有可能存储在$_.ReplacementStrings等文件中。