0
我在您的網站VBscript to get the properties of event from event ID上發現了此代碼,並對其進行了修改以解析安全事件日誌消息的其他部分,但是我沒有得到任何結果。使用vbscript解析安全事件日誌
Set wmi = GetObject("winmgmts://./root/cimv2")
Set re = New RegExp
re.Pattern = "New Logon:\s+" & _
"Security ID:\s*(.*?)\s+" & _
"Account Name:\s*(.*?)\s+" & _
"Account Domain:\s*(.*?)\s+" & _
"Logon ID:\s*(.*?)\s+" & _
"Logon GUID:\s*(\d+)"
qry = "SELECT * FROM Win32_NTLogEvent WHERE EventCode=4624"
For Each evt In wmi.ExecQuery(qry)
For Each m In re.Execute(evt.Message)
Security_ID = m.SubMatches(0)
Account_Name = m.SubMatches(1)
Account_Domain = m.SubMatches(2)
Logon_ID = m.SubMatches(3)
Logon_GUID = m.SubMatches(4)
WScript.Echo "Yes"
Next
WScript.Echo "New Logon" & Account_Name & " " & Account_Domain & " " & Logon_ID
WScript.Echo " "
Next
我做錯了什麼?
不檢查're.Pattern'和're.Execute'有效性:你是否以管理員身份運行你的腳本? – JosefZ
是的,我以管理員身份啓動命令提示符。 –