当前位置: 文江博客话题详情

需要将XML数据提取到CSV

发布于 2025-02-10 07:32:23 字数 1136 浏览 1 评论 0原文

我需要从事件日志中阅读特定信息。在下面的脚本中,我无法导出XML视图中的某些值包含。在XML视图中,我想要目标用户名:BRSYSAD和MOCKEDUSERNAME:900011-LT

脚本

$filter = "*[System[EventID=4740 and Provider[@Name='Microsoft-Windows-Security-Auditing']]]"
$result = Get-WinEvent -LogName Security -FilterXPath $filter | ForEach-Object {
    # convert the event to XML and grab the Event node
    $eventXml = ([xml]$_.ToXml()).Event
    # output the properties you need
    [PSCustomObject]@{
        EventID       = $eventXml.System.EventID.'#text'
        TimeCreated   = $eventXml.System.TimeCreated.SystemTime -replace '\.\d+.*$'
        Computer      = $eventXml.System.Computer
        Data          = $eventXml.EventData.Data
    }
}

# output on screen
$result | Format-Table -AutoSize

# save as CSV file if you like
$result | Export-Csv -Path 'C:\MyProgr_Events_302.csv' -NoTypeInformation

//i.sstatic.net/at7pd.png“ alt =“当前输出”>

原文

I need to read specific information from event log. in below script I cannot export the some value contains in XML View. In the XML view I Want Target username: BRSYSAD and Subjectusername : 900011-LT

Script

$filter = "*[System[EventID=4740 and Provider[@Name='Microsoft-Windows-Security-Auditing']]]"
$result = Get-WinEvent -LogName Security -FilterXPath $filter | ForEach-Object {
    # convert the event to XML and grab the Event node
    $eventXml = ([xml]$_.ToXml()).Event
    # output the properties you need
    [PSCustomObject]@{
        EventID       = $eventXml.System.EventID.'#text'
        TimeCreated   = $eventXml.System.TimeCreated.SystemTime -replace '\.\d+.*

Current Output


Event log XML View


        Computer      = $eventXml.System.Computer
        Data          = $eventXml.EventData.Data
    }
}

# output on screen
$result | Format-Table -AutoSize

# save as CSV file if you like
$result | Export-Csv -Path 'C:\MyProgr_Events_302.csv' -NoTypeInformation

Current Output

Event log XML View

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

烟凡古楼 2025-02-17 07:32:23

您应该能够通过过滤targetUsernameoffictuSername属性,通过过滤eventData的 。

示例代码更新(我还删除了。'#text'从EventID行中删除了零件,以确保捕获此值),

$filter = "*[System[EventID=4740 and Provider[@Name='Microsoft-Windows-Security-Auditing']]]"
$result = Get-WinEvent -LogName Security -FilterXPath $filter | ForEach-Object {
    # convert the event to XML and grab the Event node
    $eventXml = ([xml]$_.ToXml()).Event
    # output the properties you need
    [PSCustomObject]@{
        EventID       = $eventXml.System.EventID
        TimeCreated   = $eventXml.System.TimeCreated.SystemTime -replace '\.\d+.*

如果您愿意,可以使用以下所有属性来删除所有属性:


$filter = "*[System[EventID=4740 and Provider[@Name='Microsoft-Windows-Security-Auditing']]]"
$result = Get-WinEvent -LogName Security -FilterXPath $filter | ForEach-Object {
    # convert the event to XML and grab the Event node
    $eventXml = ([xml]$_.ToXml()).Event
    # output the properties you need
    $object = [PSCustomObject]@{
        EventID       = $eventXml.System.EventID
        TimeCreated   = $eventXml.System.TimeCreated.SystemTime -replace '\.\d+.*

您'd然后最终得到您可用的所有属性,每个结果都包含数据,例如:


  “示例结果数据” 


        Computer      = $eventXml.System.Computer
        TargetUserName = ($eventXml.EventData.Data | Where-Object { $_.Name -eq "TargetUserName"}).'#text'
        SubjectUserName = ($eventXml.EventData.Data | Where-Object { $_.Name -eq "SubjectUserName"}).'#text'
    }
}

# output on screen
$result | Format-Table -AutoSize

# save as CSV file if you like
$result | Export-Csv -Path 'C:\MyProgr_Events_302.csv' -NoTypeInformation



如果您愿意,可以使用以下所有属性来删除所有属性:




您'd然后最终得到您可用的所有属性,每个结果都包含数据,例如:


  “示例结果数据” 


        Computer      = $eventXml.System.Computer
    }

    $eventXml.EventData.Data | ForEach-Object { $object | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_.'#text' }
    $object
}

# output on screen$
$result | Format-Table -AutoSize

您'd然后最终得到您可用的所有属性,每个结果都包含数据,例如:
“示例结果数据”
Computer = $eventXml.System.Computer TargetUserName = ($eventXml.EventData.Data | Where-Object { $_.Name -eq "TargetUserName"}).'#text' SubjectUserName = ($eventXml.EventData.Data | Where-Object { $_.Name -eq "SubjectUserName"}).'#text' } } # output on screen $result | Format-Table -AutoSize # save as CSV file if you like $result | Export-Csv -Path 'C:\MyProgr_Events_302.csv' -NoTypeInformation
如果您愿意,可以使用以下所有属性来删除所有属性:
您'd然后最终得到您可用的所有属性,每个结果都包含数据,例如:
“示例结果数据”
You should be able to get the TargetUserName and SubjectUserName properties by filtering the EventData for those specifically named attributes.
Example code updated (I've also removed the .'#text' part from the EventID line to ensure this value is captured)
$filter = "*[System[EventID=4740 and Provider[@Name='Microsoft-Windows-Security-Auditing']]]"
$result = Get-WinEvent -LogName Security -FilterXPath $filter | ForEach-Object {
    # convert the event to XML and grab the Event node
    $eventXml = ([xml]$_.ToXml()).Event
    # output the properties you need
    [PSCustomObject]@{
        EventID       = $eventXml.System.EventID
        TimeCreated   = $eventXml.System.TimeCreated.SystemTime -replace '\.\d+.*

If you prefer, you could pull out all attributes with the following instead:


$filter = "*[System[EventID=4740 and Provider[@Name='Microsoft-Windows-Security-Auditing']]]"
$result = Get-WinEvent -LogName Security -FilterXPath $filter | ForEach-Object {
    # convert the event to XML and grab the Event node
    $eventXml = ([xml]$_.ToXml()).Event
    # output the properties you need
    $object = [PSCustomObject]@{
        EventID       = $eventXml.System.EventID
        TimeCreated   = $eventXml.System.TimeCreated.SystemTime -replace '\.\d+.*

You'd then end up with all the attributes available to you and each result would contain data such as:


Example result data


        Computer      = $eventXml.System.Computer
        TargetUserName = ($eventXml.EventData.Data | Where-Object { $_.Name -eq "TargetUserName"}).'#text'
        SubjectUserName = ($eventXml.EventData.Data | Where-Object { $_.Name -eq "SubjectUserName"}).'#text'
    }
}

# output on screen
$result | Format-Table -AutoSize

# save as CSV file if you like
$result | Export-Csv -Path 'C:\MyProgr_Events_302.csv' -NoTypeInformation



If you prefer, you could pull out all attributes with the following instead:




You'd then end up with all the attributes available to you and each result would contain data such as:


Example result data


        Computer      = $eventXml.System.Computer
    }

    $eventXml.EventData.Data | ForEach-Object { $object | Add-Member -MemberType NoteProperty -Name $_.Name -Value $_.'#text' }
    $object
}

# output on screen$
$result | Format-Table -AutoSize

You'd then end up with all the attributes available to you and each result would contain data such as:
Example result data
Computer = $eventXml.System.Computer TargetUserName = ($eventXml.EventData.Data | Where-Object { $_.Name -eq "TargetUserName"}).'#text' SubjectUserName = ($eventXml.EventData.Data | Where-Object { $_.Name -eq "SubjectUserName"}).'#text' } } # output on screen $result | Format-Table -AutoSize # save as CSV file if you like $result | Export-Csv -Path 'C:\MyProgr_Events_302.csv' -NoTypeInformation
If you prefer, you could pull out all attributes with the following instead:
You'd then end up with all the attributes available to you and each result would contain data such as:
Example result data
 回复 原文 
~没有更多了~
关于作者
 凉宸
暂无简介
 文章
 评论
25 人气
 发私信
相关话题
更多 
热门标签
操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多 
推荐作者
櫻之舞
文章 0 评论 0
弥枳
文章 0 评论 0
m2429
文章 0 评论 0
寻找一个思念的角度
文章 0 评论 0
野却迷人
文章 0 评论 0
我怀念的。
文章 0 评论 0
更多 
友情链接
文江博客
       
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
     
    原文