*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) <= 86400000] and Provider[@Name='Microsoft-Windows-Security-Auditing']]]
and
*[EventData[Data[@Name='TargetUserName']='somebody']]
如果你只想过滤最近一天所有用户的锁定日志,那么这样写
*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) <= 86400000] and Provider[@Name='Microsoft-Windows-Security-Auditing']]]
OK ,为了方便使用,我们做成一个powershell function ,方便日常使用,直接上例子。
function get-lockedEvent{
get-lockedEvent -loginname oaoperator -summary
Count Name
----- ----
457 Oaoperator, OA
.EXAMPLE
PS C:\> get-lockedEvent -loginname oaoperator
Username LockedPC Datetime EventLocation
-------- -------- -------- -------------
Oaoperator OA 2018/9/27 10:27:40 dc02
Oaoperator OA 2018/9/27 10:32:40 dc02
#>
[cmdletbinding()]
param(
[parameter(Mandatory=$false)]
[string]
$loginname,
[Parameter(Mandatory=$false)]
[switch]
$summary,
[Parameter(Mandatory=$false)]
[switch]
$show
)
# filter Locked Events generated in 1 day and username eq loginname
$f2=@'
*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) <= 86400000] and Provider[@Name='Microsoft-Windows-Security-Auditing']]]
and
*[EventData[Data[@Name='TargetUserName']='{0}']]
'@
# filter Locked Events generated in 1 day
$f1=@'
*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) <= 86400000] and Provider[@Name='Microsoft-Windows-Security-Auditing']]]
匹配 EventData中 Data 名称为ResultCode的,它的值应该是>0 或者不等于0的
EventID=201
Provider Name=Microsoft-Windows-TaskScheduler
最后成型的过滤,和微软的之前的例子不一样。
*[System/EventID=201]
and
*[EventData[
(
Data[@Name='TaskName']='\qq_ent\download_images'
or
Data[@Name='TaskName']='\qq_ent\store_to_db_offline'
or
Data[@Name='TaskName']=='\qq_ent\gatherQQmsg'
or
Data[@Name='TaskName']=='\qq_ent\store_to_db'
)
and
Data[@Name='ResultCode'] !=0
]]
我之前按照微软的例子是这样写的,结果不对的。
*[System/EventID=201]
and
*[
EventData[
(
Data[@Name='TaskName']
and
(
Data='\qq_ent\download_images'
or
Data='\qq_ent\store_to_db_offline'
or
Data='\qq_ent\gatherQQmsg'
or
Data='\qq_ent\store_to_db'
)
)
and
(
Data[@Name='ResultCode'] and Data !='0'
)
]
]