and*_*dyb 5 powershell event-log get-eventlog
我正在使用get-eventlog来提取和过滤系统事件日志数据.我发现,get-event日志无法正确返回与某些条目相关的消息.这些条目通常出现在事件日志查看器中.例如
get-eventlog -logname system | ? { $_.source -eq "Microsoft-Windows-Kernel-General" }
返回8个条目,所有条目都有以下格式的消息:
The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-General' cannot be found.
The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.
The following information is part of the event:'6', '1', '7601', '18798', '1', '0', '2015-06-13T08:33:32.359599800Z'
如果我过滤同一来源的系统事件日志,我可以清楚地看到完整形成的消息.例如
The operating system started at system time ?2015?-?06?-?13T08:33:32.359599800Z.
我运行以下命令以查看是否有任何其他提供程序无法返回有效的事件消息:
get-eventlog -LogName system | ? { $_.Message -like "The description for Event ID*" } | Group-Object -Property Source | Select-Object -Property Name
Name
----
Microsoft-Windows-Kernel-General
DCOM
WinRM
Microsoft-Windows-Iphlpsvc
我检查了事件日志查看器,找到了DCOM,WinRM和Iphlpsvc源的相应条目,并确认可以看到正确的消息.
我在管理级PowerShell控制台中运行测试脚本.
有任何想法吗?
编辑:进一步的研究表明,PsLogList似乎也遇到了同样的问题,而WEVTUTIL却没有.
编辑:根据Windos的建议,我尝试了get-winevent.我之前尝试过这个,发现它根本不会返回任何消息数据.我再试一次,发现了同样的结果.然后我试过了
Get-WinEvent -ProviderName "Microsoft-Windows-Kernel-General"
这产生了以下错误
Could not retrieve information about the Microsoft-Windows-Kernel-General provider. Error: The locale specific resource for the desired message is not present.
一个小小的谷歌搜索引导我到' https://p0w3rsh3ll.wordpress.com/2013/12/13/why-does-my-get-winevent-command-fail/ ',他们也遇到了同样的错误信息.他认为这是由于区域设置.我在澳大利亚,所以我在控制面板中的'格式'设置是'英语(澳大利亚)'.我将其更改为"英语(美国)",启动了一个新的PS控制台,确认get-culture我现在在美国并重新运行get-winevent命令.
Get-WinEvent -ProviderName "Microsoft-Windows-Kernel-General" | select-object -property Message
瞧......
Message
-------
The system time has changed to ?2015?-?07?-?12T01:06:52.405000000Z from ?2015?-?07?-?12T01:05:51.764208900Z.
The system time has changed to ?2015?-?07?-?12T01:05:09.671000000Z from ?2015?-?07?-?12T01:04:09.226010500Z.
The system time has changed to ?2015?-?07?-?12T01:03:49.119000000Z from ?2015?-?07?-?12T01:02:48.060593100Z.
The system time has changed to ?2015?-?07?-?12T01:02:32.128000000Z from ?2015?-?07?-?12T01:01:29.610105600Z.
The system time has changed to ?2015?-?06?-?13T08:41:12.267000000Z from ?2015?-?06?-?13T08:41:12.404273100Z.
The operating system started at system time ?2015?-?06?-?13T08:33:32.359599800Z.
The operating system is shutting down at system time ?2015?-?06?-?13T08:33:05.091743100Z.
The system time has changed to ?2015?-?06?-?13T08:32:58.947000000Z from ?2015?-?06?-?13T08:32:58.947959900Z.
可悲的是 - 没有变化 get-eventlog
get-eventlog -logname system | ? { $_.Source -eq "microsoft-windows-kernel-general" } | select-object -property Message
Message
-------
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer ...
The description for Event ID '13' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer ...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
不确定如何或为什么,但看起来如果你选择Get-WinEvent而不是Get-EventLog你会得到你想要的信息。
应该注意的是,当更改命令时,“Source”参数被称为“ProviderName”,因此您的命令将变为:
Get-WinEvent -LogName System | Where { $_.ProviderName -eq 'Microsoft-Windows-Kernel-General' }
| 归档时间: |
|
| 查看次数: |
1878 次 |
| 最近记录: |