Windows Server 登录监控 Powershell

tag-icon tag-icon windows powershell network-monitoring
Windows Server 登录监控 Powershell

我已经为 PowerShell 编写了一个基本脚本来监视事件 4771,但我遇到的问题是它仍然显示 RDS-Broker,但什么都没说 - 我想将其过滤掉,只发送真实用户,这通常有效,但有时仍然会显示

#Set-ExecutionPolicy unrestricted

#Liest die jeweilige Security ID aus und schickt diese dann an eine Mail, verknüpft mit Event Trigger

$Eventlog = „Security“ # (Security, Application, System)
#old $EventID = „4625“
#$EventID ist die ID auf welche Reagiert werden soll
$EventID = „4771“

#Absenderaddresse, vollständig
$From = "[email protected]"

#Empfängeradresse, vollständig

$To = "[email protected]"
$CC = "cc@some-domain"
$Subject = „Login Monitoring [BETA 1.1]“
$MailServer = „mail.some.domain“
$LOGPATH = "C:\Skripting\Logs\Audit\"
$LOGTMP1 = "tmp.txt"
$LOGTMP = $LOGPATH + $LOGTMP1
$LOG_NOMAIL = "nomail_login.txt"
$LOG_MAIL = "mail_login.txt"
$LOG1 = $LOGPATH + $LOG_NOMAIL
$LOG2 = $LOGPATH + $LOG_MAIL

# >>>>>>>> Query Eventlog <<<<<<<<
#Schreibt die Event Logs in $LOGTMP
get-winevent -FilterHashtable @{Logname='Security';ID=4771}  -MaxEvents 1 |fl > $LOGTMP

$Kontoname =      Get-Content $LOGTMP | findstr /I kontoname
$Clientadresse =  Get-Content $LOGTMP | findstr /I Clientadresse
$Clientport =     Get-Content $LOGTMP | findstr /I TimeCreated
$Fehlercode =     Get-Content $LOGTMP | findstr /I Fehlercode:
$ErrorMsg = @(get-content "C:\Skripting\error.txt") | findstr "$Fehlercode"


#$Output = "Fehlerhafter Login:" + "`r`n" + $Kontoname + "`r`n" +  $Clientadresse+ "`r`n" + "                            " + $Clientport + "`r`n" + $Fehlercode + "`r`n"

# HTML Output - neu:
$Output = "<b><h1>Fehlerhafter Login: </h1></b>"  +"<br>"+ $Kontoname  + "<br>" + $Clientadresse  + "<br>" + $Clientport  + "<br>"  + "Fehlercode: " + $ErrorMsg

$Body = $Output


# >>>>>>>> Send Mail-Alert <<<<<<<<
 if ($Kontoname -eq '*RDS-Broker$*')
 { 
        #Wenn RDS-Broker als user
        echo $Output > $LOG1
        exit
 } 
    else 
 { 
        #Alles andere soll er mailen 
        #Send-MailMessage -From $From -To $To -Subject $Subject -SmtpServer $MailServer -Body $Body
        Send-MailMessage -Cc $CC -From $From -To $To -Subject $Subject -SmtpServer $MailServer -BodyAsHtml "$Body "
        #echo $Output > C:\temp\true_loggin.txt 
        echo $Output > $LOG2
 }
 del $LOGTMP

如果登录失败,它可以正常发送邮件,但仍然经常显示 RDS-Broker 而我不想显示,有人可以告诉我解决方法吗?

答案1

如果我理解正确的话,您的问题只是 RDS-Broker 用户的过滤器不起作用。

您可以通过将条件从 更改为 来解决这个问题($Kontoname -eq '*RDS-Broker$*')- ($Kontoname -like '*RDS-Broker$*')Powershelleq中的运算符不接受通配符,只有当字符串完全相同(包括星号)时,它才会变为真。like运算符应该可以正确处理您的通配符。

相关内容