0

我有以下脚本

get-eventlog -LogName Security -InstanceId 4663 -after (Get-Date).AddMonths(-1) -before (Get-Date) |
Select TimeWritten, @{Name="Account Name";Expression={ $_.ReplacementStrings[1]}}, @{Name="Object Name";e= {$_.ReplacementStrings[6]}}  |
Export-Csv "archive $(Get-Date -UFormat "%m.%d.%Y").csv" -NoType

我尝试添加 Where 语句

@{Name="Account Name";Expression={ $_.ReplacementStrings[1]} -notlike "user"}

或者

$_.username -notlike "user"

但是似乎两者都不会影响日志的结果。

我究竟做错了什么?

4

2 回答 2

0

当你使用-Likeand-Notlike时,你必须指定一个通配符,使用星号 *

像这样:

get-eventlog -LogName Security -InstanceId 4663 -after (Get-Date).AddMonths(-1) -before (Get-Date) |
    Where-Object {$_.username -notlike "*UserName*"} | 
        Select TimeWritten, @{Name="Account Name";Expression={ $_.ReplacementStrings[1]}}, @{Name="Object Name";e= {$_.ReplacementStrings[6]}}  |
            Export-Csv "archive $(Get-Date -UFormat "%m.%d.%Y").csv" -NoType
于 2021-08-30T18:29:50.303 回答
0

我的解决方案最终使用 -NotMatch 而不是 -notlike

来自https://social.technet.microsoft.com/Forums/ie/en-US/d6a2e073-ada4-4b4f-8cd5-1ebe9256fcfe/geteventlog-and-message-details?forum=winserverpowershell

get-eventlog -LogName Security -InstanceId 4663 -after (Get-Date).AddMonths(-1) -before (Get-Date) | 
Where {$_.message -notmatch "Account Name:\s*user*"} |
Select TimeWritten, @{Name="Account Name";Expression={ $_.ReplacementStrings[1] }}, @{Name="Object Name";e= {$_.ReplacementStrings[6]}}  |
Export-Csv "archive $(Get-Date -UFormat "%m.%d.%Y").csv" -NoType
于 2021-09-01T18:49:04.207 回答