嗨,KA���。很有趣�,是吧:每次一有關(guān)于失敗的主題���,人們總是會(huì)找 Scripting Guy 幫忙。是什么讓你們認(rèn)為我們對(duì)于失敗無所不知呢���?
好吧����,您是對(duì)的:這個(gè)問題比較愚蠢��。至于您的 問題,從安全事件日志里只取出“安全失敗審核”事件是很容易的事情����;事實(shí)上,我們正好有一個(gè)腳本可以實(shí)現(xiàn)這個(gè)目的:
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" & _
strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * FROM Win32_NTLogEvent WHERE Logfile = ‘Security‘ " & _
"AND EventType = 5")
For Each objEvent in colLoggedEvents
Wscript.Echo "==================================================="
Wscript.Echo "Category: " & objEvent.Category
Wscript.Echo "Computer Name: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Record Number: " & objEvent.RecordNumber
Wscript.Echo "Source Name: " & objEvent.SourceName
Wscript.Echo "Time Written: " & objEvent.TimeWritten
Wscript.Echo "Event Type: " & objEvent.Type
Wscript.Echo "User: " & objEvent.User
Wscript.Echo
Next
一個(gè)非常簡(jiǎn)單小巧的腳本���,但有兩件事情您需要注意���。首先,請(qǐng)注意我們?cè)谶B接 WMI 時(shí)使用了 (Security) 參數(shù):
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" & _
strComputer & "\root\cimv2")
每次處理安全事件日志時(shí)都必須包含此參數(shù)�;沒有這個(gè)參數(shù),腳本就不能起作用�。哦,是的�����,我們知道您是本地管理員��,也知道您有權(quán)讀取安全事件日志����。但是不管怎樣,WMI 并不關(guān)心這個(gè):您還是必須包含 (Security) 參數(shù)。
其次�,請(qǐng)注意我們的 WHERE 子句的兩個(gè)部分:
("Select * from Win32_NTLogEvent WHERE Logfile = ‘Security‘ " & _
"AND EventType = 5")
對(duì)于這個(gè)腳本,我們只希望檢索滿足以下兩個(gè)條件的事件:安全事件日志中記錄的�����、且 EventType 為 5 的事件��,恰如您可能料到的���,EventType 為 5 在 WMI 中表示失敗審核�����。此外�,您也可以搜索 EventTypes 1(錯(cuò)誤)�����、2(警告)�、3 (信息)或 4(安全審核成功)。由于我們需要失敗審核事件�����,因此我們?cè)诎踩?b>事件日志中查找 EventType 為 5 的事件���。即:
WHERE Logfile = ‘Security‘ AND EventType = 5
夠酷吧���,嗯?如果您需要了解有關(guān)處理事件日志(包括一些可能對(duì)您比較有用的示例查詢)的更多信息�,請(qǐng)?jiān)L問“Microsoft Windows 2000 腳本指南” 中的“日志”一章。
并且�,您可能還需要注意一件事情。如上所示��,這個(gè)腳本將會(huì)以 WMI 的默認(rèn) Universal Time Coordinate 格式顯示 TimeWritten 屬性�。換句話說,您將得到類似如下結(jié)果:
20041025124000.000000-420
多么……美妙……���。不過別失望�。以下這個(gè)修改后的腳本包含一個(gè)函數(shù) (WMIDateStringTodate)�����,這個(gè)函數(shù)可以將 UTC 值轉(zhuǎn)換為比較容易讀取的格式:
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" & _
strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * FROM Win32_NTLogEvent WHERE Logfile = ‘Security‘ " & _
"AND EventType = 5")
For Each objEvent in colLoggedEvents
Wscript.Echo "==================================================="
Wscript.Echo "Category: " & objEvent.Category
Wscript.Echo "Computer Name: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Record Number: " & objEvent.RecordNumber
Wscript.Echo "Source Name: " & objEvent.SourceName
dtmEventDate = objEvent.TimeWritten
strTimeWritten = WMIDateStringToDate(dtmEventDate)
Wscript.Echo "Time Written: " & strTimeWritten
Wscript.Echo "Event Type: " & objEvent.Type
Wscript.Echo "User: " & objEvent.User
Wscript.Echo
Next
Function WMIDateStringToDate(dtmEventDate)
WMIDateStringToDate = CDate(Mid(dtmEventDate, 5, 2) & "/" & _
Mid(dtmEventDate, 7, 2) & "/" & Left(dtmEventDate, 4) _
& " " & Mid (dtmEventDate, 9, 2) & ":" & _
Mid(dtmEventDate, 11, 2) & ":" & Mid(dtmEventDate, _
13, 2))
End Function
我們今天就不再介紹這段腳本的工作原理了��,但如果您有任何相關(guān)疑問���,請(qǐng)讓我們知道�����。我們可能會(huì)在下一個(gè)專欄中詳細(xì)介紹�����。
