質問編集履歴
4
おかしかった為
test
CHANGED
File without changes
|
test
CHANGED
@@ -2,171 +2,7 @@
|
|
2
2
|
|
3
3
|
|
4
4
|
|
5
|
-
function GetValue([String]$category, [String]$key, [String[]]$properties)
|
6
5
|
|
7
|
-
{
|
8
|
-
|
9
|
-
$b = $false;
|
10
|
-
|
11
|
-
foreach ($property in $properties) {
|
12
|
-
|
13
|
-
if ($b -eq $false) {
|
14
|
-
|
15
|
-
if ($property.contains($category)) {
|
16
|
-
|
17
|
-
$b = $true;
|
18
|
-
|
19
|
-
continue;
|
20
|
-
|
21
|
-
}
|
22
|
-
|
23
|
-
} else {
|
24
|
-
|
25
|
-
if ($property.contains($key)) {
|
26
|
-
|
27
|
-
return [String]$property.Substring($property.IndexOf(":")+1).Trim();
|
28
|
-
|
29
|
-
}
|
30
|
-
|
31
|
-
}
|
32
|
-
|
33
|
-
}
|
34
|
-
|
35
|
-
return "";
|
36
|
-
|
37
|
-
}
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
function ConvertACL([string]$accessList)
|
42
|
-
|
43
|
-
{
|
44
|
-
|
45
|
-
switch ($accessList.trim()) {
|
46
|
-
|
47
|
-
"%%1537" { return "Delete"; }
|
48
|
-
|
49
|
-
"%%1538" { return "Read_CONTROL"; }
|
50
|
-
|
51
|
-
"%%1539" { return "Write_DAC"; }
|
52
|
-
|
53
|
-
"%%1540" { return "Write_OWNER"; }
|
54
|
-
|
55
|
-
"%%1541" { return "Synchronize"; }
|
56
|
-
|
57
|
-
"%%4416" { return "ReadData (or List Directory)"; }
|
58
|
-
|
59
|
-
"%%4417" { return "WriteData (or Add File)"; }
|
60
|
-
|
61
|
-
"%%4418" { return "AppendData (or AddSubdirectory or CreatePipeInstance)"; }
|
62
|
-
|
63
|
-
"%%4419" { return "ReadEA"; }
|
64
|
-
|
65
|
-
"%%4420" { return "WriteEA"; }
|
66
|
-
|
67
|
-
"%%4421" { return "ExecuteFile"; }
|
68
|
-
|
69
|
-
"%%4422" { return "DeleteChild"; }
|
70
|
-
|
71
|
-
"%%4423" { return "ReadAttributes"; }
|
72
|
-
|
73
|
-
"%%4424" { return "WriteAttributes"; }
|
74
|
-
|
75
|
-
default { return "Other"; }
|
76
|
-
|
77
|
-
}
|
78
|
-
|
79
|
-
}
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
$acslogs = Get-EventLog Security | Where-Object { ($_.EventID -eq '4663') -and (Get-Date).AddMonths(-1)}
|
84
|
-
|
85
|
-
$Datas = @()
|
86
|
-
|
87
|
-
$i = 0;
|
88
|
-
|
89
|
-
foreach ($entry in $acslogs) {
|
90
|
-
|
91
|
-
$Data = New-Object PSObject | Select-Object 日時,ユーザ名,ドメイン名,ファイル名,操作,アプリケーション名
|
92
|
-
|
93
|
-
$i = $i + 1;
|
94
|
-
|
95
|
-
Write-Progress -Activity "Outputting Event" `
|
96
|
-
|
97
|
-
-Status "Progress:" -PercentComplete ($i/$acslogs.count*100);
|
98
|
-
|
99
|
-
$properties = $entry.Message.Split("`n");
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
$a = (GetValue "オブジェクト:" "オブジェクト名:" $properties);
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
if($a.Contains("C:\Users")){
|
108
|
-
|
109
|
-
$Data.日時 = [String]$entry.TimeGenerated.ToString("yyyy/MM/dd HH:mm:ss");
|
110
|
-
|
111
|
-
$Data.ユーザ名 = (GetValue "サブジェクト:" "アカウント名:" $properties);
|
112
|
-
|
113
|
-
$Data.ドメイン名 = (GetValue "サブジェクト:" "アカウント ドメイン:" $properties);
|
114
|
-
|
115
|
-
$Data.ファイル名= (GetValue "オブジェクト:" "オブジェクト名:" $properties);
|
116
|
-
|
117
|
-
$Data.操作 = (ConvertACL((GetValue "アクセス要求情報:" "アクセス:" $properties)));
|
118
|
-
|
119
|
-
$Data.アプリケーション名 = (GetValue "プロセス情報:" "プロセス名:" $properties);
|
120
|
-
|
121
|
-
|
122
|
-
|
123
|
-
for($n=0; $n -le $Datas.Length; $n++){
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
if($Datas[$n] -eq $Data){
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
write-output "一致しました";
|
132
|
-
|
133
|
-
break;
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
}elseif($n -eq $Datas.Length){
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
$Datas += $Data;
|
142
|
-
|
143
|
-
Write-output "書き込みます";
|
144
|
-
|
145
|
-
break;
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
}else{
|
150
|
-
|
151
|
-
write-output "ありません";
|
152
|
-
|
153
|
-
}
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
}
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
}else{
|
162
|
-
|
163
|
-
|
164
|
-
|
165
|
-
}
|
166
|
-
|
167
|
-
|
168
|
-
|
169
|
-
}
|
170
6
|
|
171
7
|
|
172
8
|
|
3
間違えた為
test
CHANGED
File without changes
|
test
CHANGED
@@ -124,7 +124,7 @@
|
|
124
124
|
|
125
125
|
|
126
126
|
|
127
|
-
if($Data
|
127
|
+
if($Datas[$n] -eq $Data){
|
128
128
|
|
129
129
|
|
130
130
|
|
2
質問が分かりにくい為
test
CHANGED
File without changes
|
test
CHANGED
@@ -1,10 +1,132 @@
|
|
1
1
|
PowerShellで出力するアクセスログの重複を消すためのコーディングをしています。
|
2
|
+
|
3
|
+
|
4
|
+
|
5
|
+
function GetValue([String]$category, [String]$key, [String[]]$properties)
|
6
|
+
|
7
|
+
{
|
8
|
+
|
9
|
+
$b = $false;
|
10
|
+
|
11
|
+
foreach ($property in $properties) {
|
12
|
+
|
13
|
+
if ($b -eq $false) {
|
14
|
+
|
15
|
+
if ($property.contains($category)) {
|
16
|
+
|
17
|
+
$b = $true;
|
18
|
+
|
19
|
+
continue;
|
20
|
+
|
21
|
+
}
|
22
|
+
|
23
|
+
} else {
|
24
|
+
|
25
|
+
if ($property.contains($key)) {
|
26
|
+
|
27
|
+
return [String]$property.Substring($property.IndexOf(":")+1).Trim();
|
28
|
+
|
29
|
+
}
|
30
|
+
|
31
|
+
}
|
32
|
+
|
33
|
+
}
|
34
|
+
|
35
|
+
return "";
|
36
|
+
|
37
|
+
}
|
38
|
+
|
39
|
+
|
40
|
+
|
41
|
+
function ConvertACL([string]$accessList)
|
42
|
+
|
43
|
+
{
|
44
|
+
|
45
|
+
switch ($accessList.trim()) {
|
46
|
+
|
47
|
+
"%%1537" { return "Delete"; }
|
48
|
+
|
49
|
+
"%%1538" { return "Read_CONTROL"; }
|
50
|
+
|
51
|
+
"%%1539" { return "Write_DAC"; }
|
52
|
+
|
53
|
+
"%%1540" { return "Write_OWNER"; }
|
54
|
+
|
55
|
+
"%%1541" { return "Synchronize"; }
|
56
|
+
|
57
|
+
"%%4416" { return "ReadData (or List Directory)"; }
|
58
|
+
|
59
|
+
"%%4417" { return "WriteData (or Add File)"; }
|
60
|
+
|
61
|
+
"%%4418" { return "AppendData (or AddSubdirectory or CreatePipeInstance)"; }
|
62
|
+
|
63
|
+
"%%4419" { return "ReadEA"; }
|
64
|
+
|
65
|
+
"%%4420" { return "WriteEA"; }
|
66
|
+
|
67
|
+
"%%4421" { return "ExecuteFile"; }
|
68
|
+
|
69
|
+
"%%4422" { return "DeleteChild"; }
|
70
|
+
|
71
|
+
"%%4423" { return "ReadAttributes"; }
|
72
|
+
|
73
|
+
"%%4424" { return "WriteAttributes"; }
|
74
|
+
|
75
|
+
default { return "Other"; }
|
76
|
+
|
77
|
+
}
|
78
|
+
|
79
|
+
}
|
80
|
+
|
81
|
+
|
82
|
+
|
83
|
+
$acslogs = Get-EventLog Security | Where-Object { ($_.EventID -eq '4663') -and (Get-Date).AddMonths(-1)}
|
84
|
+
|
85
|
+
$Datas = @()
|
86
|
+
|
87
|
+
$i = 0;
|
88
|
+
|
89
|
+
foreach ($entry in $acslogs) {
|
90
|
+
|
91
|
+
$Data = New-Object PSObject | Select-Object 日時,ユーザ名,ドメイン名,ファイル名,操作,アプリケーション名
|
92
|
+
|
93
|
+
$i = $i + 1;
|
94
|
+
|
95
|
+
Write-Progress -Activity "Outputting Event" `
|
96
|
+
|
97
|
+
-Status "Progress:" -PercentComplete ($i/$acslogs.count*100);
|
98
|
+
|
99
|
+
$properties = $entry.Message.Split("`n");
|
100
|
+
|
101
|
+
|
102
|
+
|
103
|
+
$a = (GetValue "オブジェクト:" "オブジェクト名:" $properties);
|
104
|
+
|
105
|
+
|
106
|
+
|
107
|
+
if($a.Contains("C:\Users")){
|
108
|
+
|
109
|
+
$Data.日時 = [String]$entry.TimeGenerated.ToString("yyyy/MM/dd HH:mm:ss");
|
110
|
+
|
111
|
+
$Data.ユーザ名 = (GetValue "サブジェクト:" "アカウント名:" $properties);
|
112
|
+
|
113
|
+
$Data.ドメイン名 = (GetValue "サブジェクト:" "アカウント ドメイン:" $properties);
|
114
|
+
|
115
|
+
$Data.ファイル名= (GetValue "オブジェクト:" "オブジェクト名:" $properties);
|
116
|
+
|
117
|
+
$Data.操作 = (ConvertACL((GetValue "アクセス要求情報:" "アクセス:" $properties)));
|
118
|
+
|
119
|
+
$Data.アプリケーション名 = (GetValue "プロセス情報:" "プロセス名:" $properties);
|
2
120
|
|
3
121
|
|
4
122
|
|
5
123
|
for($n=0; $n -le $Datas.Length; $n++){
|
6
124
|
|
125
|
+
|
126
|
+
|
7
|
-
if($Data
|
127
|
+
if($Data2 -eq $Data3){
|
128
|
+
|
129
|
+
|
8
130
|
|
9
131
|
write-output "一致しました";
|
10
132
|
|
@@ -36,6 +158,18 @@
|
|
36
158
|
|
37
159
|
|
38
160
|
|
161
|
+
}else{
|
162
|
+
|
163
|
+
|
164
|
+
|
165
|
+
}
|
166
|
+
|
167
|
+
|
168
|
+
|
169
|
+
}
|
170
|
+
|
171
|
+
|
172
|
+
|
39
173
|
$Dataにログの一つが入っており、一致する内容のログがあればbreakしてループを抜けて、
|
40
174
|
|
41
175
|
一致する内容のログがなければelseifの条件まで到達し、$Datasにアクセスログを足しこんでいき、そのログを最後に出力する。
|
1
タイトルが分かりにくかった為
test
CHANGED
@@ -1 +1 @@
|
|
1
|
-
PowerShelll
|
1
|
+
PowerShelll アクセスログの重複をなくしたい。
|
test
CHANGED
File without changes
|