Home > front end >  Filter array rows with wildcards
Filter array rows with wildcards

Time:09-21

I am using the PSEventViewer package in Powershell to pull login events from the Security log. The package has a parameter called -NamedDataExcludeFilter which I use to skip various system level ids. However, I cannot skip all the UMFD-xx and DWM-xx as the xx numbers vary. I would like to filter out all UMFD* and DWM* values. In all honesty I am a relative newbie to Powershell. I have been developer for over 30 years but I have always stuck with DOS cmd when I could. I know this must be a simple solution but I can't find a working solution.

$FromDate = (Get-Date).AddSeconds(-3)
$ToDate = Get-Date
$L = Get-Events -LogName 'Security' -Id 4625,4647,4648 -DateFrom $FromDate -DateTo $ToDate `
    -NamedDataExcludeFilter @{ 'TargetUserName' = 'System','Network Service','Local Service' } | ` 
    Sort-Object TimeCreated 

if ( $L.Count -ne 0 )
{
    "From: ", $FromDate, " to ", $ToDate | 
        Out-File -FilePath C:\Users\Scomage\Documents\SecLog.txt -Append -Width 500 -NoNewline

    $L | Format-Table -Property Date, Id, LogonType, LogonProcessName, TargetUserName, IpAddress, IpPort, TargetLogonId, Action, KeywordDisplayName | `
        Out-File -FilePath C:\Users\Scomage\Documents\SecLog.txt -Append -Width 500
}

The $L array will be very small so an additional filter loop should be very fast even though the best solution would be to incorporate the filter directly. Any suggestions would be welcome.

CodePudding user response:

I don't know this package, as I understand it uses Get-WinEvent in the background. So probably you could use some XML quering instead of what you are doing now. If you are sure that result array won't be very large, I'd suggest using simple solution that doesn't require XML.

Simple filtering after retreiving data could look like this:

$L = Get-Events -LogName 'Security' -Id 4625,4647,4648 -DateFrom $FromDate -DateTo $ToDate `
    -NamedDataExcludeFilter @{ 'TargetUserName' = 'System','Network Service','Local Service' } | `
    Where-Object { $_.Id -notmatch "^(UMFD|DWM)" } | ` 
    Sort-Object TimeCreated

Where-Object takes script block with filtering-out rows with Id that start with UMFD or DWM.

Page link:https//www.codepudding.com/frontend/120745.html

Prev:expand array to string in powershell
Next:Make a registry change based on OS version
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding