powershellで、windowsのイベントログから、pc操作ログを抽出する - 詳細版

インターネット上の情報では、event idでのみ判定しているケースをよく見かけますが、 event id=1は、System time synchronized with the hardware clock.の場合も該当するようですので 抽出条件にsourceを加えています。

$limitDate = -7
$folderPath = "c:/Users/end0t/tmp"
$fileName = "{0}_{1}_detail.csv" -f (Get-Date).ToString("yyyyMM"), $Env:USERNAME
$filePath = Join-Path -Path $folderPath -ChildPath $fileName

# 抽出対象のevent

$EventMsg = @{
    "Microsoft-Windows-Kernel-Power,42"         = "sleep on"
    "Microsoft-Windows-Kernel-Power,107"        = "sleep off"
    "Microsoft-Windows-Power-Troubleshooter,1"  = "sleep off"
    "Microsoft-Windows-Kernel-Power,506"        = "standby on"
    "Microsoft-Windows-Kernel-Power,507"        = "standby off"
    "Microsoft-Windows-Winlogon,7001"           = "windows login"
    "Microsoft-Windows-Winlogon,7002"           = "windows logout"
}

#出力対象のfolderがない場合、処理しません

if (!(Test-Path $folderPath)) {
    return
}

$events = Get-EventLog -LogName System `
  -After (Get-Date).AddDays($limitDate) | `
  Where-Object {
      $SrcAndId = $_.Source + ","+[String]$_.EventID
      $EventMsg.ContainsKey($SrcAndId) -eq $true } | `
  Select `
        @{n='TimeGenerated'; e={$_.TimeGenerated.ToString("yyyy/MM/dd HH:mm")}}, `
        InstanceId, `
        @{n='InstanceMsg';   e={$EventMsg["$($_.Source),$($_.EventID)"]}}, `
        @{n='User'; e={[String]$Env:UserName}}, `
        @{n='Computer'; e={[String]$Env:COMPUTERNAME}}

# 既存のCSVファイルに同一日時のレコードがある場合、その行は追記しない

if (Test-Path $filePath) {
    $existingRecords = Import-Csv -Path $filePath
    $events = $events | Where-Object { 
        $newRecord = $_
        !($existingRecords | Where-Object {
          $_.TimeGenerated -eq $newRecord.TimeGenerated
        })
    }
}

# 新しいイベントログをCSVファイルに追記する

if ($events.Count -gt 0) {
    $events | Sort-Object -Property TimeGenerated | `
      Export-Csv -Path $filePath -Encoding Default -NoTypeInformation -Append
}

↑こう書くと、↓こう出力

"TimeGenerated","InstanceId","InstanceMsg","Computer","User"
"2023/04/14 12:23","507","standby off","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 12:17","506","standby on","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 11:08","507","standby off","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 10:51","506","standby on","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 10:51","507","standby off","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 10:25","506","standby on","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 10:20","507","standby off","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 08:51","506","standby on","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 08:51","507","standby off","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 07:59","506","standby on","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 07:46","507","standby off","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 06:52","1","sleep off","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 06:52","506","standby on","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 04:53","1","sleep off","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 04:52","507","standby off","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 04:52","506","standby on","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 04:52","1","sleep off","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 00:29","42","sleep on","LAPTOP-FSIBOAPD","end0t"
"2023/04/14 00:29","507","standby off","LAPTOP-FSIBOAPD","end0t"
"2023/04/13 21:12","506","standby on","LAPTOP-FSIBOAPD","end0t"
【略】