用vbscript解析安全事件日志

Question

我在您的站点VBscript to get the properties of event from event ID上找到了这段代码，并将其修改为解析安全事件日志消息的不同部分，但是我没有得到任何结果。

    Set wmi = GetObject("winmgmts://./root/cimv2")

Set re = New RegExp
re.Pattern = "New Logon:\s+" & _
             "Security ID:\s*(.*?)\s+" & _
             "Account Name:\s*(.*?)\s+" & _
         "Account Domain:\s*(.*?)\s+" & _
         "Logon ID:\s*(.*?)\s+" & _
             "Logon GUID:\s*(\d+)"

qry = "SELECT * FROM Win32_NTLogEvent WHERE EventCode=4624"
For Each evt In wmi.ExecQuery(qry)
For Each m In re.Execute(evt.Message)
    Security_ID = m.SubMatches(0)
    Account_Name  = m.SubMatches(1)
    Account_Domain  = m.SubMatches(2)
    Logon_ID  = m.SubMatches(3)
    Logon_GUID = m.SubMatches(4)
WScript.Echo "Yes"
Next
WScript.Echo "New Logon" & Account_Name & " " & Account_Domain & " " & Logon_ID
WScript.Echo " "
Next

我做错了什么？

Answer 1

重要信息：

• 重新构造的Pattern属性(登录GUID)；

化妆品

• option explicit和ON ERROR GOTO 0作为一般原则；
• where子句在wmi查询中的扩展仅仅是为了合理限制输出范围；
• 用于调试的更广泛的echo；
• mm而不是m变量:我讨厌一个字母的名字.

剧本：

option explicit
ON ERROR GOTO 0

Dim re, qry, evt, mm, wmi

Set re = New RegExp
re.Pattern = "New Logon:\s+" _
             & "Security ID:\s*(.*?)\s+" _
             & "Account Name:\s*(.*?)\s+" _
             & "Account Domain:\s*(.*?)\s+" _
             & "Logon ID:\s*(.*?)\s+" _
             & "Logon GUID:\s*({.*?})"
'  re.IgnoreCase = True         ' Set case insensitivity.
'  re.Global     = True         ' Set global applicability.

qry = "SELECT * FROM Win32_NTLogEvent WHERE logfile='security'" _
  & " and EventCode=4624 " _
  & " and (RecordNumber = 36413 or RecordNumber = 44911)"

Dim Security_ID, Account_Name, Account_Domain, Logon_ID, Logon_GUID

Set wmi = GetObject("winmgmts://./root/cimv2")

For Each evt In wmi.ExecQuery(qry)
  For Each mm In re.Execute(evt.Message)
      Security_ID   = mm.SubMatches(0)
      Account_Name  = mm.SubMatches(1)
      Account_Domain= mm.SubMatches(2)
      Logon_ID      = mm.SubMatches(3)
      Logon_GUID    = mm.SubMatches(4)
    WScript.Echo "Yes        " & evt.TimeGenerated
  Next
WScript.Echo "New Logon  " & Account_Name & "," & Account_Domain & "," & Logon_ID
WScript.Echo "Logon_GUID " & Logon_GUID
Next

Output (管理员命令提示控制台)：

==>cscript.exe D:\VB_scripts\SO\30291316.vbs
Yes        20150517203428.318232-000
New Logon  ANONYMOUS LOGON,NT AUTHORITY,0x3C70F59
Logon_GUID {00000000-0000-0000-0000-000000000000}
Yes        20150518073715.217688-000
New Logon  SYSTEM,NT AUTHORITY,0x3E7
Logon_GUID {00000000-0000-0000-0000-000000000000}

==>