security - 获取事件ID中事件属性的VBscript

  显示原文与译文双语对照的内容

我想知道是否可以使用vbscript获取计算机的IP 。登录用户。从事件,登录的主机名?

我想要一个取出这个信息的vbscript: Event properties

时间: 作者:

可以使用事件日志从事件日志中查询事件,然后解析名称,IP地址和从消息字符串中删除的端口,以正则表达式为:


Set wmi = GetObject("winmgmts://./root/cimv2")

Set re = New RegExp
re.Pattern ="Network Information:s+" & _
"Workstation Name:s*(.*?)s+" & _
"Source Network Address:s*(.*?)s+" & _
"Source Port:s*(d+)"

qry ="SELECT * FROM Win32_NTLogEvent WHERE EventCode=4624"
For Each evt In wmi.ExecQuery(qry)
 For Each m In re.Execute(evt.Message)
 hostname = m.SubMatches(0)
 address = m.SubMatches(1)
 port = m.SubMatches(2)
 Next
 WScript.Echo hostname &" [" & address &":" & port &"]"
Next

作者:

基本上,这听起来像你在寻找文章。 在其中,作者概述了一个非常彻底的方法,但关键的部分是:


Function ProcessScript
 Dim hostName, logName, startDateTime, endDateTime
 Dim events, eventNumbers, i
 hostName = wshNetwork.ComputerName
 logName ="Security"
 eventNumbers = Array("672") ' This is a comma-delimited list of events. You would include 4212 here
 startDateTime = DateAdd("n", -120, Now)
 '-------------------------------------------------------------------------------------------------------------------------
 'Query the event log for the eventID's within the specified event log name and date range.
 '-------------------------------------------------------------------------------------------------------------------------
 If Not QueryEventLog(events, hostName, logName, eventNumbers, startDateTime) Then
 Exit Function
 End If

End Function

这里函数调用 QueryEventLog,它执行繁重的操作:


Function QueryEventLog(results, hostName, logName, eventNumbers, startDateTime)
 Dim wmiDateTime, wmi, query, eventItems, eventItem
 Dim timeWritten, eventDate, eventTime, description
 Dim eventsDict, eventInfo, errorCount, i
 QueryEventLog = False
 errorCount = 0
 If Not IsArray(eventNumbers) Then
 eventNumbers = Array(eventNumbers)
 End If
 '-------------------------------------------------------------------------------------------------------------------------
 'Construct part of the WMI Query to account for searching multiple eventID's
 '-------------------------------------------------------------------------------------------------------------------------
 query ="Select * from Win32_NTLogEvent Where Logfile =" & SQ(logName) &" And (EventCode ="
 For i = 0 To UBound(eventNumbers)
 query = query & SQ(eventNumbers(i)) &" Or EventCode ="
 Next
 On Error Resume Next
 Set eventsDict = NewDictionary
 If Err.Number <> 0 Then
 LogError"Creating Dictionary Object"
 Exit Function
 End If
 Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!" & hostName &"rootcimv2")
 If Err.Number <> 0 Then
 LogError"Creating WMI Object to connect to" & DQ(hostName)
 Exit Function
 End If
 '----------------------------------------------------------------------------------------------------------------------
 'Create the"SWbemDateTime" Object for converting WMI Date formats. Supported in Windows Server 2003 & Windows XP.
 '----------------------------------------------------------------------------------------------------------------------
 Set wmiDateTime = CreateObject("WbemScripting.SWbemDateTime")
 If Err.Number <> 0 Then
 LogError"Creating" & DQ("WbemScripting.SWbemDateTime") &" object"
 Exit Function
 End If
 '----------------------------------------------------------------------------------------------------------------------
 'Build the WQL query and execute it.
 '----------------------------------------------------------------------------------------------------------------------
 wmiDateTime.SetVarDate startDateTime, True
 query = Left(query, InStrRev(query,"'")) &") And (TimeWritten> =" & SQ(wmiDateTime.Value) &")"
 Set eventItems = wmi.ExecQuery(query)
 If Err.Number <> 0 Then
 LogError"Executing WMI Query" & DQ(query)
 Exit Function
 End If
 '----------------------------------------------------------------------------------------------------------------------
 'Convert the property values of Each event found to a comma seperated string and add it to the dictionary.
 '----------------------------------------------------------------------------------------------------------------------
 For Each eventItem In eventItems
 Do
 timeWritten =""
 eventDate =""
 eventTime =""
 eventInfo =""
 timeWritten = ConvertWMIDateTime(eventItem.TimeWritten)
 eventDate = FormatDateTime(timeWritten, vbShortDate)
 eventTime = FormatDateTime(timeWritten, vbLongTime)
 eventInfo = eventDate &","
 eventInfo = eventInfo & eventTime &","
 eventInfo = eventInfo & eventItem.SourceName &","
 eventInfo = eventInfo & eventItem.Type &","
 eventInfo = eventInfo & eventItem.Category &","
 eventInfo = eventInfo & eventItem.EventCode &","
 eventInfo = eventInfo & eventItem.User &","
 eventInfo = eventInfo & eventItem.ComputerName &","
 description = eventItem.Message
 '------------------------------------------------------------------------------------------------------------------------
 'Ensure the event description is not blank.
 '------------------------------------------------------------------------------------------------------------------------
 If IsNull(description) Then
 description ="The event description cannot be found."
 End If
 description = Replace(description, vbCrLf,"")
 eventInfo = eventInfo & description
 '------------------------------------------------------------------------------------------------------------------------
 'Check if any errors occurred enumerating the event Information
 '------------------------------------------------------------------------------------------------------------------------
 If Err.Number <> 0 Then
 LogError"Enumerating Event Properties from the" & DQ(logName) &" event log on" & DQ(hostName)
 errorCount = errorCount + 1
 Err.Clear
 Exit Do
 End If
 '------------------------------------------------------------------------------------------------------------------------
 'Remove all Tabs and spaces.
 '------------------------------------------------------------------------------------------------------------------------
 eventInfo = Trim(Replace(eventInfo, vbTab,""))
 Do While InStr(1, eventInfo,"", vbTextCompare) <> 0
 eventInfo = Replace(eventInfo,"","")
 Loop
 '------------------------------------------------------------------------------------------------------------------------
 'Add the Event Information to the Dictionary object if it doesn't exist.
 '------------------------------------------------------------------------------------------------------------------------
 If Not eventsDict.Exists(eventInfo) Then
 eventsDict(eventsDict.Count) = eventInfo
 End If
 Loop Until True
 Next
 On Error Goto 0
 If errorCount <> 0 Then
 Exit Function
 End If
 results = eventsDict.Items
 QueryEventLog = True
End Function

它的余部分是详细的,但基本上只关注将结果写入文件并在执行周围添加一些优秀的用户交互。

作者:
...