if($code -eq 1)
{
$loginType=cut-string $message '登录类型:' '新登录:'
$loginType=$loginType -replace('登录类型:','')
$loginType=$loginType -replace('   ','')
if($loginType -eq 4)
{
break
}
}
$processInfo=cut-string $message '进程名:' '网络信息:'
$processInfo=$processInfo -replace('进程名:  ','')
$message=cut-string $message '新登录' '详细身份验证信息'
$loginName=cut-string $message '帐户名:' '帐户域:'
$loginName=$loginName -replace('帐户名:','')
$loginIp=cut-string $message '源网络地址:' '源端口:'
$loginIp=$loginIp -replace('源网络地址:','')
$ip=get-serverip
$loginedName=get_login_user
$Body="<table width='700' border='1' cellpadding='0' cellspacing='0' style='font-size:13px;'>
<tr  style='background:#39F'>
<td>服务器</td>
<td>登录账号</td>
<td>进程</td>
<td>登录时间</td>
<td>客户端IP</td>
<td>已登录账号</td>
</tr>
<tr>
<td>$ip</td>
<td>$loginName</td>
<td>$processInfo</td>
<td>$time</td>
<td>$loginIp</td>
<td>$loginedName</td>
</tr>
</table>"
try
{
Send-Mail "Login on $ip" $Body
}
catch
{
ac -Path c:UserNotice.log -Value "[ $time Login] $error[0]"
}
}
#endregion
#region Cancel-Succ-Notice 注销登录事件
function Cancel-Succ-Notice
{
$cancelInfo=Get-WinEvent -logname security -maxevents 10 | ? {$_.id -eq 4634} | select timecreated,message
if($cancelInfo -eq $null)
{
break
}
if(($cancelInfo.gettype()).isarray)
{
$time=$cancelInfo[0].timecreated
$message=$cancelInfo[0].message
}
else
{
$time=$cancelInfo.timecreated
$message=$cancelInfo.message
}
$cancelName=cut-string $message '帐户名:' '帐户域:'
$cancelName=$cancelName -replace('帐户名:','')
$ip=get-serverip
$loginedName=get_login_user
$Body="<table width='700' border='1' cellpadding='0' cellspacing='0' style='font-size:13px;'>
<tr  style='background:#39F'>
<td>服务器</td>
<td>注销账号</td>
<td>注销时间</td>
<td>未注销账号</td>
</tr>
<tr>
<td>$ip</td>
<td>$cancelName</td>
<td>$time</td>
<td>$loginedName</td>
</tr>
</table>"
try
{
Send-Mail "Cancel on $ip" $Body
}
catch
{
ac -Path c:UserNotice.log -Value "[ $time Cancel] $error[0]"
}
}
#endregion
#region Create-User-Notice 新增账号事件
function Create-User-Notice
{
$userinfo=Get-WinEvent -logname security -maxevents 10 | ? {$_.id -eq 4722} | select timecreated,message
if($userinfo -eq $null)
{
break
}
if(($userinfo.gettype()).isarray)
{
$time=$userinfo[0].timecreated
$message=$userinfo[0].message
}
else
{
$time=$userinfo.timecreated
$message=$userinfo.message
}
$operateUser=cut-string $message '主题:' '目标帐户:'
$operateUser=cut-string $operateUser '帐户名:' '帐户域:'
$operateUser=$operateUser -replace('帐户名:','')
$addUser=$message.substring($message.indexof('目标帐户:'))
$addUser=cut-string $addUser '帐户名:' '帐户域:'
$addUser=$addUser -replace('帐户名:','')
$ip=get-serverip
$loginedUser=get_login_user
$Body="<table width='700' border='1' cellpadding='0' cellspacing='0' style='font-size:13px;'>
<tr  style='background:#39F'>
<td>服务器</td>
<td>操作账号</td>
<td>被添加账号</td>
<td>操作时间</td>
<td>已登录账号</td>
</tr>
<tr>
<td>$ip</td>
<td>$operateUser</td>
<td>$addUser</td>
<td>$time</td>
<td>$loginedUser</td>
</tr>
</table>"
try
{
Send-Mail "AddUser on $ip" $Body
}
catch
{
ac -Path c:UserNotice.log -Value "[ $time AddUser] $error[0]"
}
}
#endregion
#region Delete-User-Notice 删除账号事件
function Delete-User-Notice{
$userInfo=Get-WinEvent -logname security -maxevents 10 | ? {$_.id -eq 4726} | select timecreated,message
if($userinfo -eq $null)
{
break
}
if(($userinfo.gettype()).isarray)
{
$time=$userinfo[0].timecreated
$message=$userinfo[0].message
}
else
{
$time=$userinfo.timecreated
$message=$userinfo.message
}