1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

セキュリティイベントログで前日のログオン失敗を抽出する(powershell)

Posted at

目的

実行日の前日でイベントID:4625かつキーワードが「失敗の監査」をセキュリティのイベントログから抽出してファイルに書き込む。
セキュリティのイベントログを検索するには実行時に管理者権限が必要。

コード

#当日 0時
$today = ([Datetime](get-date -format "yyyy/MM/dd"))

#前日 0時
$yesterday = $today.adddays(-1)

#日付からファイル名作成
$yesterdaystr = $yesterday.ToString("yyyyMMdd")
$filename = "security-"+$yesterdaystr+".log"

#イベントログ検索
get-eventlog Security -InstanceId 4625 -EntryType FailureAudit -After $yesterday -Before $today | Format-List > $filename
1
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?