1. 首頁
  2. 問答
  3. 使用vbscript解析安全事件日誌

使用vbscript解析安全事件日誌

2015-05-17 28 views
0

我在您的網站VBscript to get the properties of event from event ID上發現了此代碼,並對其進行了修改以解析安全事件日誌消息的其他部分,但是我沒有得到任何結果。使用vbscript解析安全事件日誌

Set wmi = GetObject("winmgmts://./root/cimv2") 

Set re = New RegExp 
re.Pattern = "New Logon:\s+" & _ 
      "Security ID:\s*(.*?)\s+" & _ 
      "Account Name:\s*(.*?)\s+" & _ 
     "Account Domain:\s*(.*?)\s+" & _ 
     "Logon ID:\s*(.*?)\s+" & _ 
      "Logon GUID:\s*(\d+)" 

qry = "SELECT * FROM Win32_NTLogEvent WHERE EventCode=4624" 
For Each evt In wmi.ExecQuery(qry) 
For Each m In re.Execute(evt.Message) 
    Security_ID = m.SubMatches(0) 
    Account_Name = m.SubMatches(1) 
    Account_Domain = m.SubMatches(2) 
    Logon_ID = m.SubMatches(3) 
    Logon_GUID = m.SubMatches(4) 
WScript.Echo "Yes" 
Next 
WScript.Echo "New Logon" & Account_Name & " " & Account_Domain & " " & Logon_ID 
WScript.Echo " " 
Next

我做錯了什麼?

來源

2015-05-17 Ren-Heok

+0

不檢查're.Pattern'和're.Execute'有效性:你是否以管理員身份運行你的腳本? – JosefZ

+0

是的,我以管理員身份啓動命令提示符。 –

回答

0

重要:

  • 重新Pattern屬性(登錄GUID);

化妝品

  • option explicitON ERROR GOTO 0作爲一般原則問題;
  • where子句中的wmi查詢只擴展爲合理限制輸出範圍;
  • 更廣泛的echo用於調試目的;
  • mm代替m變量:我討厭一個字母名稱...

腳本:

option explicit 
ON ERROR GOTO 0 

Dim re, qry, evt, mm, wmi 

Set re = New RegExp 
re.Pattern = "New Logon:\s+" _ 
      & "Security ID:\s*(.*?)\s+" _ 
      & "Account Name:\s*(.*?)\s+" _ 
      & "Account Domain:\s*(.*?)\s+" _ 
      & "Logon ID:\s*(.*?)\s+" _ 
      & "Logon GUID:\s*({.*?})" 
' re.IgnoreCase = True   ' Set case insensitivity. 
' re.Global  = True   ' Set global applicability. 

qry = "SELECT * FROM Win32_NTLogEvent WHERE logfile='security'" _ 
    & " and EventCode=4624 " _ 
    & " and (RecordNumber = 36413 or RecordNumber = 44911)" 

Dim Security_ID, Account_Name, Account_Domain, Logon_ID, Logon_GUID 

Set wmi = GetObject("winmgmts://./root/cimv2") 

For Each evt In wmi.ExecQuery(qry) 
    For Each mm In re.Execute(evt.Message) 
     Security_ID = mm.SubMatches(0) 
     Account_Name = mm.SubMatches(1) 
     Account_Domain= mm.SubMatches(2) 
     Logon_ID  = mm.SubMatches(3) 
     Logon_GUID = mm.SubMatches(4) 
    WScript.Echo "Yes  " & evt.TimeGenerated 
    Next 
WScript.Echo "New Logon " & Account_Name & "," & Account_Domain & "," & Logon_ID 
WScript.Echo "Logon_GUID " & Logon_GUID 
Next

輸出(管理員命令提示符控制檯):

==>cscript.exe D:\VB_scripts\SO\30291316.vbs 
Yes  20150517203428.318232-000 
New Logon ANONYMOUS LOGON,NT AUTHORITY,0x3C70F59 
Logon_GUID {00000000-0000-0000-0000-000000000000} 
Yes  20150518073715.217688-000 
New Logon SYSTEM,NT AUTHORITY,0x3E7 
Logon_GUID {00000000-0000-0000-0000-000000000000} 

==>

來源

2015-05-18 09:24:06 JosefZ

+1

總結:子表達式'(\ d +)'必須用'({。*?})'替換,因爲前者與GUID的連字符和大括號不匹配。 –

相關問題

 相關問題