用powershell获取sysmon日志

想用powershell获取sysmon日志还是比较麻烦，开始以为用Get-EventLog就行，结果试了半天报错：PS D:&gt; Get-EventLog -LogName Microsoft-Windows-Sysmon/Operational -Newest 20Get-EventLog : 计算机“.”上的事件日志“Microsoft-Windows-Sysmon/Operational”不存在。所在位置 行:1 字符: 1+ Get-EventLog -LogName Microsoft-Windows-Sysmon/Operational -Newest 20+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-EventLog], InvalidOperationException + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetEventLogCommand上网发现大家都是用的 Get-WinEvent，看了下帮助文档，这个Cmdlet可以获取所有本地和远程计算机的日志，使用-ListLog *可以获取当前主机的所有类型的日志PS C:&gt; Get-WinEvent -ListLog *LogMode MaximumSizeInBytes RecordCount LogName——- —————— ———– ——-Circular 20971520 24186 ApplicationCircular 20971520 0 HardwareEventsCircular 1052672 0 Internet ExplorerCircular 20971520 0 Key Management ServiceCircular 1052672 117 OAlertsCircular 1052672 0 PreEmptiveCircular 20971520 25272 SecurityCircular 20971520 13277 SystemCircular 15728640 4381 Windows PowerShellCircular 1052672 0 AMSI/OperationalCircular 20971520 ForwardedEventsCircular 1052672 200 Lenovo-Power-BaseModule/OperationalCircular 10485760 0 Microsoft-AppV-Client/AdminCircular 10485760 0 Microsoft-AppV-Client/OperationalCircular 10485760 0 Microsoft-AppV-Client/Virtual ApplicationsCircular 1052672 2103 Microsoft-Client-Licensing-Platform/AdminCircular 1052672 Microsoft-Management-UI/AdminCircular 1052672 0 Microsoft-Rdms-UI/AdminCircular 1052672 0 Microsoft-Rdms-UI/OperationalCircular 1052672 0 Microsoft-User Experience Virtualization-Agent ……根据网上的例子，使用哈希表同时指定日志类型和事件ID，可以查询sysmon的某类ID的事件日志PS C:&gt; Get-WinEvent -FilterHashtable @{logname=‘Microsoft-Windows-Sysmon/Operational’;id=17} -MaxEvents 10 ProviderName:Microsoft-Windows-SysmonTimeCreated Id LevelDisplayName Message———– – —————- ——-2019/4/1 22:23:35 17 信息 Pipe Created:…2019/4/1 22:23:35 17 信息 Pipe Created:…2019/4/1 22:23:35 17 信息 Pipe Created:…2019/4/1 22:23:34 17 信息 Pipe Created:…2019/4/1 22:23:34 17 信息 Pipe Created:…2019/4/1 22:23:34 17 信息 Pipe Created:…2019/4/1 22:23:33 17 信息 Pipe Created:…2019/4/1 22:23:33 17 信息 Pipe Created:…2019/4/1 22:23:33 17 信息 Pipe Created:…2019/4/1 22:23:33 17 信息 Pipe Created:…接下来我希望获取日志中的其他消息，想到使用 Format-Table指定属性的方法，首先我查询到sysmon的事件ID为17的日志中的属性有：RuleName，UtcTime，ProcessGuid，ProcessId，PipeName，Image，然后用指定属性输出：PS C:&gt; Get-WinEvent -FilterHashtable @{logname=‘Microsoft-Windows-Sysmon/Operational’;id=17} -MaxEvents 10 | Format-Table -Property UtcTime,processguid, processid,pipename,image -AutoSize -WrapUtcTime processguid ProcessId pipename image——- ———– ——— ——– —– 4140 4140 4140 4140 4140 4140 4140 4140 4140 4140但是发现只有一个ProcessId有值，其他都为空！这就很奇怪。然后使用Format-List *获取一下日志的属性都有什么：PS C:&gt; Get-WinEvent -FilterHashtable @{logname=‘Microsoft-Windows-Sysmon/Operational’;id=17} -MaxEvents 10 | Format-List *Message : Pipe Created: RuleName: UtcTime: 2019-04-01 14:23:35.814 ProcessGuid: {791A80C2-1EE7-5CA2-0000-0010E60FF000} ProcessId: 6724 PipeName: <Anonymous Pipe> Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeId : 17Version : 1Qualifiers :Level : 4Task : 17Opcode : 0Keywords : -9223372036854775808RecordId : 113253ProviderName : Microsoft-Windows-SysmonProviderId : 5770385f-c22a-43e0-bf4c-06f5698ffbd9LogName : Microsoft-Windows-Sysmon/OperationalProcessId : 4140ThreadId : 6228MachineName : DESKTOP-DKGHJUNUserId : S-1-5-18TimeCreated : 2019/4/1 22:23:35ActivityId :RelatedActivityId :ContainerLog : Microsoft-Windows-Sysmon/OperationalMatchedQueryIds : {}Bookmark : System.Diagnostics.Eventing.Reader.EventBookmarkLevelDisplayName : 信息OpcodeDisplayName : 信息TaskDisplayName : Pipe Created (rule: PipeEvent)KeywordsDisplayNames : {}Properties : {System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty…}……结果发现日志的信息都在Message里面，连显示的进程ID都是错的。知道原因了，也就是说获取sysmon的日志信息的话只需要显示一条Message就够了。PS C:&gt; Get-WinEvent -FilterHashtable @{logname=‘Microsoft-Windows-Sysmon/Operational’;id=17} -MaxEvents 10 | Format-Table -Property message -WrapMessage——-Pipe Created:RuleName:UtcTime: 2019-04-01 14:23:35.814ProcessGuid: {791A80C2-1EE7-5CA2-0000-0010E60FF000}ProcessId: 6724PipeName: <Anonymous Pipe>Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exePipe Created:RuleName:UtcTime: 2019-04-01 14:23:35.751ProcessGuid: {791A80C2-1EE7-5CA2-0000-00108D0AF000}ProcessId: 856PipeName: <Anonymous Pipe>Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exePipe Created:但是这种结果并不利于查看，需要在前面添加几列信息，让每一条结果能显示的更易于区分。通过Format-List *查看有哪些属性是比较有用的，这次选择ID，TaskDisplayName这两项：PS C:&gt; Get-WinEvent -FilterHashtable @{logname=‘Microsoft-Windows-Sysmon/Operational’;id=17} -MaxEvents 5 | Format-Table -Property ID,TaskDisplayName,message -WrapId TaskDisplayName Message– ————— ——-17 Pipe Created (rule: PipeEvent) Pipe Created: RuleName: UtcTime: 2019-04-01 14:23:35.814 ProcessGuid: {791A80C2-1EE7-5CA2-0000-0010E60FF000} ProcessId: 6724 PipeName: <Anonymous Pipe> Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe17 Pipe Created (rule: PipeEvent) Pipe Created: RuleName: UtcTime: 2019-04-01 14:23:35.751 ProcessGuid: {791A80C2-1EE7-5CA2-0000-00108D0AF000} ProcessId: 856 PipeName: <Anonymous Pipe> Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe17 Pipe Created (rule: PipeEvent) Pipe Created: RuleName: UtcTime: 2019-04-01 14:23:35.353 ProcessGuid: {791A80C2-1EE7-5CA2-0000-00103F04F000} ProcessId: 10636 PipeName: <Anonymous Pipe> Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe……但是这个结果也不好，因为获取到某个ID的日志后不能继续搜索了。遗留了两个问题：Get-EventLog和Get-WinEvent两个cmdlet的差异在哪里？如何进一步筛选sysmon日志？