最近要將每月的報告自動化,所以使用PowerShell來取得一些記錄,要取得的記錄是事件檢視器前一個月的「應用程式」、「安全性」、「系統」各個的錯誤事件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
$month = Get-Date -Format 'MM'
$year = Get-Date -Format 'yyyy'
$dir = 'EventLog'
if($month -eq 1){
    $year = $year-1
    $month = 12
}else{
    $month = $month-1
}
 
$last = [DateTime]::DaysInMonth($year, $month)
$first = Get-Date -Day 1 -Month $month -Year $year -Hour 0 -Minute 0 -Second 0
$last = Get-Date -Day $last -Month $month -Year $year -Hour 23 -Minute 59 -Second 59
$hostIP = ([System.Net.DNS]::GetHostAddresses($env:COMPUTERNAME) |Where-Object {$_.AddressFamily -eq "InterNetwork"} | select-object IPAddressToString)[0].IPAddressToString 
$events=@('Application','System','Security')
 
Function EventLogger($message){
    $nowTime = get-date -Format 'yyyy-MM-dd HH:mm:ss'
    Write-Output $nowTime $message >> $env:USERPROFILE\EventLog.log
}
 
try{
    Foreach($eventName in $events){
        switch($eventName){
            "Security" {
               $info = Get-EventLog Security | Where-Object {$_.TimeGenerated -ge $first -and $_.TimeGenerated -le $last} | Where-Object {$_.EntryType -eq 'FailureAudit'} 
            }
            Default {
               $info = Get-WinEvent -FilterHashtable @{
                   LogName=$eventName;
                   Level=1,2;
                   StartTime=$first;
                   EndTime=$last;
               } 
            }
        }
 
        if($info.Count -ne 0){
            $info | Export-Csv -Path $env:USERPROFILE\$env:COMPUTERNAME-$hostIP-Log-$year$month-$eventName.csv -Encoding "UTF8"         
        }else{
            EventLogger $eventName' no event records'
        }
        EventLogger $eventName' scan end'
    }
}catch{
    EventLogger $Error[0].Exception
}