Ordinator
30-09-2014, 14:54
Пытаюсь заставить работать скрипт
[CmdletBinding()]
Param(
[Parameter(Mandatory=$True,Position=1,ParameterSetName='logEvent')][int]$RecordID,
[Parameter(Mandatory=$False,Position=2,ParameterSetName='logEvent')]
[string]$LogPath = "$PSScriptRoot\DeletedFiles.log",
[Parameter(ParameterSetName='install')][switch]$Install
)
if ($Install) {
$service = New-Object -ComObject "Schedule.Service"
$service.Connect("localhost")
$rootFolder = $service.GetFolder("\")
$taskDefinition = $service.NewTask(0)
$taskDefinition.Settings.Enabled = $True
$taskDefinition.Settings.Hidden = $False
$taskDefinition.Settings.MultipleInstances = $True
$taskDefinition.Settings.AllowDemandStart = $False
$taskDefinition.Settings.ExecutionTimeLimit = "PT5M"
$taskDefinition.Principal.RunLevel = 0
$trigger = $taskDefinition.Triggers.Create(0)
$trigger.Subscription = '
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[Provider[@Name="Microsoft-Windows-Security-Auditing"] and EventID=4660]]
</Select>
</Query>
</QueryList>'
$trigger.ValueQueries.Create("eventRecordID", "Event/System/EventRecordID")
$Action = $taskDefinition.Actions.Create(0)
$Action.Path = 'PowerShell.exe'
$Action.WorkingDirectory = $PSScriptRoot
$Action.Arguments = '.\' + $MyInvocation.MyCommand.Name + ' $(eventRecordID) ' + $LogPath
$rootFolder.RegisterTaskDefinition("Log Deleted Files", $taskDefinition, 6, 'SYSTEM', $null, 5)
} else {
$XmlQuery="<QueryList>
<Query Id='0' Path='Security'>
<Select Path='Security'>*[System[(EventID=4663) and (EventRecordID=$($RecordID - 1))]]</Select>
</Query>
</QueryList>"
$Event = Get-WinEvent -FilterXml $XmlQuery `
| Select TimeCreated,ID,RecordID,@{n="EventXML";e={([xml]$_.ToXml()).Event.EventData.Data}}`
if (($ObjectName = ($Event.EventXML | where Name -eq "ObjectName").'#text') `
-notmatch ".*tmp$|.*~lock$|.*~$"){
$EventLine = "$($Event.TimeCreated)`t" + "$($Event.RecordID)`t" `
+ ($Event.EventXML | where Name -eq "SubjectUserName").'#text' + "`t" `
+ $ObjectName
if ($ObjectName -match ".*Documents\\Подразделения\\[^\\]*\\"){
$OULogPath = $Matches[0] + '\DeletedFiles.log'
if (!(Test-Path $OULogPath)){
"DeletionDate`tEventID`tUserName`tObjectPath"| Out-File -FilePath $OULogPath
}
$EventLine | Out-File -FilePath $OULogPath -Append
}
if (!(Test-Path $LogPath)){
"DeletionDate`tEventID`tUserName`tObjectPath" | Out-File -FilePath $LogPath }
$EventLine | Out-File -FilePath $LogPath -Append
}
}
из статьи http://habrahabr.ru/post/238469/, на что мне он выдает
PS .\Logd.ps1 $(488697)
Select-Object : Не удается найти позиционный параметр, принимающий аргумент "if".
Logd.ps1:41 знак:11
+ | Select TimeCreated,ID,RecordID,@{n="EventXML";e={([xml]$_.ToXml()).Eve ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Select-Object], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.SelectObjectCommand
я так понимаю где-то проблема в синтаксисе, но найти не могу.
[CmdletBinding()]
Param(
[Parameter(Mandatory=$True,Position=1,ParameterSetName='logEvent')][int]$RecordID,
[Parameter(Mandatory=$False,Position=2,ParameterSetName='logEvent')]
[string]$LogPath = "$PSScriptRoot\DeletedFiles.log",
[Parameter(ParameterSetName='install')][switch]$Install
)
if ($Install) {
$service = New-Object -ComObject "Schedule.Service"
$service.Connect("localhost")
$rootFolder = $service.GetFolder("\")
$taskDefinition = $service.NewTask(0)
$taskDefinition.Settings.Enabled = $True
$taskDefinition.Settings.Hidden = $False
$taskDefinition.Settings.MultipleInstances = $True
$taskDefinition.Settings.AllowDemandStart = $False
$taskDefinition.Settings.ExecutionTimeLimit = "PT5M"
$taskDefinition.Principal.RunLevel = 0
$trigger = $taskDefinition.Triggers.Create(0)
$trigger.Subscription = '
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[Provider[@Name="Microsoft-Windows-Security-Auditing"] and EventID=4660]]
</Select>
</Query>
</QueryList>'
$trigger.ValueQueries.Create("eventRecordID", "Event/System/EventRecordID")
$Action = $taskDefinition.Actions.Create(0)
$Action.Path = 'PowerShell.exe'
$Action.WorkingDirectory = $PSScriptRoot
$Action.Arguments = '.\' + $MyInvocation.MyCommand.Name + ' $(eventRecordID) ' + $LogPath
$rootFolder.RegisterTaskDefinition("Log Deleted Files", $taskDefinition, 6, 'SYSTEM', $null, 5)
} else {
$XmlQuery="<QueryList>
<Query Id='0' Path='Security'>
<Select Path='Security'>*[System[(EventID=4663) and (EventRecordID=$($RecordID - 1))]]</Select>
</Query>
</QueryList>"
$Event = Get-WinEvent -FilterXml $XmlQuery `
| Select TimeCreated,ID,RecordID,@{n="EventXML";e={([xml]$_.ToXml()).Event.EventData.Data}}`
if (($ObjectName = ($Event.EventXML | where Name -eq "ObjectName").'#text') `
-notmatch ".*tmp$|.*~lock$|.*~$"){
$EventLine = "$($Event.TimeCreated)`t" + "$($Event.RecordID)`t" `
+ ($Event.EventXML | where Name -eq "SubjectUserName").'#text' + "`t" `
+ $ObjectName
if ($ObjectName -match ".*Documents\\Подразделения\\[^\\]*\\"){
$OULogPath = $Matches[0] + '\DeletedFiles.log'
if (!(Test-Path $OULogPath)){
"DeletionDate`tEventID`tUserName`tObjectPath"| Out-File -FilePath $OULogPath
}
$EventLine | Out-File -FilePath $OULogPath -Append
}
if (!(Test-Path $LogPath)){
"DeletionDate`tEventID`tUserName`tObjectPath" | Out-File -FilePath $LogPath }
$EventLine | Out-File -FilePath $LogPath -Append
}
}
из статьи http://habrahabr.ru/post/238469/, на что мне он выдает
PS .\Logd.ps1 $(488697)
Select-Object : Не удается найти позиционный параметр, принимающий аргумент "if".
Logd.ps1:41 знак:11
+ | Select TimeCreated,ID,RecordID,@{n="EventXML";e={([xml]$_.ToXml()).Eve ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Select-Object], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.SelectObjectCommand
я так понимаю где-то проблема в синтаксисе, но найти не могу.