php - Creating array from file and formatting with Powershell -


what i'm trying do: user logon statistics powershell using get-winevent (id: 4624). if know of better way, i'm not opposed other suggestions. i've gotten work, it's not formatted how need it. powershell code have (i'm powershell novice, stuff similar php, i'm comfortable with):

$logonids = "4624" $computers = get-content "c:\computers.txt" foreach($pc in $computers) {     if(test-connection $pc -count 1 -quiet) {         write-host "acquiring information $pc"         foreach ($item in $logonids) {             (get-winevent -computername $pc -max 2000 -filterhashtable @{logname='security';id=$item} `                 | select timecreated,message `                 | fl * `                 | findstr /g:c:\search.lst) `                 -replace "^[\s]+","" `                 -replace "[\s]+"," " `                 | out-file -append "c:\scripts\winevent\$logonids.txt"          }     }     else {         write-host "couldn't ping $pc"     } }

search.lst has following information:

timecreated account name: logon type: logon guid: logon type: process name:

the script export this:

timecreated : 5/2/2013 7:19:39 account name: computername$ logon type: 2 account name: [username] logon guid: {00000000-0000-0000-0000-000000000000} process name: c:\windows\system32\winlogon.exe timecreated : 5/2/2013 7:19:39 account name: computername$ logon type: 2 account name: [username] logon guid: {akej38dj-3k45-3lkd-3lkd-dkej3787djj3} process name: c:\windows\system32\winlogon.exe timecreated : 5/2/2013 6:50:42 account name: - logon type: 3 account name: computername$ logon guid: {k458d890-3kj8-dk3j-dk39-3ldjk23ld909} process name: - timecreated : 5/2/2013 6:27:22 account name: computername$ logon type: 5 account name: system logon guid: {00000000-0000-0000-0000-000000000000} process name: c:\windows\system32\services.exe

this script exports great, terrible @ formatting , parsing unneeded information powershell. can format need php, if can me weed out specific information powershell, that'd outstanding.

1) explode @ timecreated create array 2) if logon type = 2, proceed, else skip next value; 3) if process name contains winlogon.exe, proceed, else skip next value; 4) if guid = {00000000-0000-0000-0000-000000000000}, skip next value; 5) if guid != {00000000-0000-0000-0000-000000000000}, account name[0] = computername, account name[1] = username, build new array information

here's php used this:

$file = "4624.txt"; $file_explode = explode("timecreated",$file); while(list($k,$v) = each($file_explode)) {     $account_name = "";     $time = "";     if(preg_match("/logon type\:[\s]+2/msu",$v)) {         if(preg_match("/winlogon\.exe/msu",$v)) {             if(strstr($v,"{00000000-0000-0000-0000-000000000000}")) {                 continue;             }             else {                 preg_match("/[\s]+\:[\s]+(.*)$/msu",$v,$time);                 preg_match_all("/account name\:[\s]+(.*)$/msu",$v,$account_name);                 $new_arr[] = array(                     "time" => $time[1],                     "computer_name" => $account_name[1][0],                     "user" => $account_name[1][1]                 );             }         }     } }

the reason can't use php (which found out), can't post 4624.txt web server because contains pii (personally identifable information). if can me out, forever in debt ;]

-adam

in general approach sort of problem creating custom object in powershell there property every piece of data want. once have object easier use sort-object, group-object, format-object manipulate data.

 $logonids = 4624  $ignorelogonguid = '{00000000-0000-0000-0000-000000000000}'   function parse-logonid4624event  {     param(         [parameter(mandatory = $true, position = 0, valuefrompipeline = $true)]         [psobject[]]         $eventlogentry     )      process {         foreach ($ev in $eventlogentry)         {             $timecreated = [datetime]::parse($ev.timecreated)              $accountname = 'not found'             if ($ev.message -match '(?ims)new logon:.*?account name:\s*(\s+)')             {                 $accountname =  $matches[1]             }              $logonguid = 'not found'             if ($ev.message -match '(?ims)^\s+logon guid:\s*(\s+)')             {                 $logonguid =  $matches[1]             }              $obj = [pscustomobject] @{                     timecreated = $timecreated                     accountname = $accountname                     logonguid = $logonguid                     message = $ev.message             }             $obj         }     }  }   get-winevent -max 20 -filterhashtable @{logname='security';id=$logonids} |       parse-logonid4624event |      logonguid -ne $ignorelogonguid

this implementation doesn't grab fields need think can see how rinse & repeat other fields need. note implementation uses powershell v3 specific features. if need on v2 let me know. should require few tweaks.


Comments

Post a Comment

Popular posts from this blog

linux - xterm copying to CLIPBOARD using copy-selection causes automatic updating of CLIPBOARD upon mouse selection -

i've tried various ways coerce xterm (versions 285 , 292) copy selection clipboard clipboard whenever press ctrl-shift-c. promising way far has been, in ~/.xresources, put this: xterm*vt100.translations: #override \ ctrl shift <keypress> c: copy-selection(clipboard) \n\ ctrl shift <keypress> v: insert-selection(clipboard) ctrl-shift-v works perfectly, copying has nuance... if restart xterm, highlighting text puts things in primary clipboard; expected, proper, default behavior. if hit ctrl-shift-c, copies current selection clipboard clipboard. the bug, however, if highlight text after first time pressed ctrl-shift-c, you'll see highlighting copies both primary and clipboard. cannot figure out how stop xterm updating clipboard upon selection... , doesn't make sense me in first place. i said, @ specific point in time, copy selection clipboard... yet starts updating automatically upon selection after doing once... anyone have workaround...
Read more

c++ - qgraphicsview horizontal scrolling always has a vertical delta -

Image
i've subclassed qgraphicsview custom canvas used in cad application. i've reimplemented qgraphicsview::wheelevent check keyboard modifiers control key and, if control key pressed, zoom. i'm trying implement horizontal scroll when user holds shift , uses wheel. the problem i'm having horizontal scrolling always scrolls 0.279. not huge problem, hugely annoying , points else being wrong. so, here questions: is right way implement horizontal scrolling? if not, is? how eliminate delta of 0.279? thanks in advance. code , sample output below void myview::zoom(int delta) { double factor = pow(1.2, delta/abs(delta)); this->scale(factor, factor); } void myview::scrollhorizontal(int level) { qpointf center = maptoscene(viewport()->rect().center()); qdebug() << "center: " << center.x() << ", " << center.y(); centeron(qpointf(center.x() - level, center.y())); } void myview::wheelevent(qwheeleve...
Read more