解析Get-WinEvent消息体

Question

我想为下面的事件id消息解析一些关键字。我怎么能这么做？

Get-WinEvent -FilterHashtable @{LogName='System';ID='10036'} -MaxEvents 5 | fl  TimeCreated,Message

TimeCreated : 6/22/2022 9:41:24 AM
Message     : The server-side authentication level policy does not allow the user CONTOSO\user01 SID (S-1-5-21-609545082-2795152396-2074981628-18664) from address 
              10.223.13.11 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

事件ID 10036消息：

The server-side authentication level policy does not allow the user CONTOSO\user01 SID (S-1-5-21-609545082-2795152396-2074981628-18664) from address 10.223.13.11 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

我想要的输出：

User;Address
CONTOSO\user01;10.223.13.11
CONTOSO\user31;10.222.13.34

Answer 1

我的系统中没有任何这样的事件，所以无法正确地测试这些事件，但是它应该可以满足您的需要：

Get-WinEvent -FilterHashtable @{LogName='System';ID='10036'} -MaxEvents 5 |
    ForEach-Object {
        if($_.message -match 'user (?<user>[\w\\]+) .+ address (?<address>[\d+\.]+).+') {
            [PsCustomObject]@{
                TimeCreated = $_.TimeCreated
                User        = $Matches.user
                Address     = $Matches.address
            }
        }
    }

这将为每个事件条目输出一个自定义对象。在表格格式中，它将如下所示：

TimeCreated            User            Address
-----------            ----            -------
6/22/2022 9:41:24 AM   CONTOSO\user01  10.223.13.11
6/22/2022 10:30:16 AM  CONTOSO\user31  10.222.13.34

如果您想要使用您提到的CSV格式，请将其追加到最后的花括号：| ConvertTo-Csv -Delimiter ';'后面。从自定义对象中删除TimeCreated = $_.TimeCreated，如果您真的不想要它的话。