This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 26%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPF%3C/text%3E%3C/svg%3E)
I am thinking of excluding an user from the script below, meaning excluding the "SRV08$" , may you please assist me on how I can update the following script to achieve this:
$hosts = @(
'LOCALHOST'
)
foreach ($servidor in $hosts) {
$LogFilter = @{
LogName = 'SECURITY'
ID = 4663
}
$entradas = Get-WinEvent -FilterHashtable $LogFilter -ComputerName $servidor
$entradas | Foreach {
$entrada = [xml]$_.ToXml()
[array]$saida += New-Object PSObject -Property @{
DATA_HORA = $_.TimeCreated
USUARIO = $entrada.Event.EventData.Data[1]."#text"
ARQUIVO = $entrada.Event.EventData.Data[6]."#text"
EventID = $entrada.Event.System.EventID
HOST = $servidor
}
}
}
$exportar += $saida | Select DATA_HORA, USUARIO, ARQUIVO, @{Name='STATUS';Expression={
if ($_.EventID -eq '4663'){"DELETADO"}
}
}
$data = (Get-Date -Format d) -replace "/", "-"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Try this:
$hosts = @(
'LOCALHOST'
)
$LogFilter = @{
LogName = 'SECURITY'
ID = 4663
}
$exportar = $hosts |
ForEach-Object{
$servidor = $_
Get-WinEvent -FilterHashtable $LogFilter -ComputerName $_
ForEach-Object{
$entrada = [xml]$_.ToXml()
[PSCustomObject]@{
DATA_HORA = $entrada.event.System.TimeCreated.SystemTime
USUARIO = $entrada.Event.EventData.Data[1]."#text"
ARQUIVO = $entrada.Event.EventData.Data[6]."#text"
EventID = $entrada.Event.System.EventID
HOST = $servidor
}
} |
Where-Object {$_.USARIO -ne "SRV08$"} |
Select-Object DATA_HORA, USUARIO, ARQUIVO, @{Name = 'STATUS'; Expression = {if ($_.EventID -eq '4663') { "DELETADO" }}}
}
$data = (Get-Date -Format d) -replace "/", "-"
Thank you for answering. I don't understand why it didn't work. When running the script, the following error occurs.
Select-Object : A positional parameter cannot be found that accepts argument 'System.Object[]'.
At C:\Users***.ps1:25 char:34
There was error on line #25. When I produced the code I meant to replace the "select" in your original code but, instead, added "Select-Object" in front of it, leaving the original "select" in place.
I corrected the error in the code sample in my earlier answer.
In addition, I corrected the code to correctly get the time of the event (on line #17). It was incorrect in your original example.
Thanks, you are amazing!