get-winevent高级属性和提供者xml模板

时间:2012-08-01 23:26:43

标签: powershell

我正试图从get-winevent命令中获取一些(高级?)属性。

我正在使用Windows-Server-Backup事件。

我可以同时获取属性的数据和xml模板,但我看不到将它们干净地绑在一起的方法。

最终,我希望得到一个结果,我可以使用event.properties.BackupState或event.properties.NumOfVolumes等。

$EventSource = 'Microsoft-Windows-Backup'
$provider = Get-WinEvent -listprovider $EventSource
$ProviderEvent = $provider.events | Where-Object {($_.ID -eq 4) -and ($_.Version -eq 2)}
$ProviderEvent.Template

上面的块给了我这个结果;

<template xmlns="http://schemas.microsoft.com/win/2004/08/events">
   <data name="BackupTemplateID" inType="win:GUID" outType="xs:GUID"/>
   <data name="HRESULT" inType="win:UInt32" outType="xs:unsignedInt"/>
   <data name="BackupState" inType="win:Int32" outType="xs:int"/>
   <data name="BackupTarget" inType="win:UnicodeString" outType="xs:string"/>
   <data name="NumOfVolumes" inType="win:UInt32" outType="xs:unsignedInt"/>
   <data name="BackupTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="HRESULT2" inType="win:UInt32" outType="xs:unsignedInt"/>
   <data name="VolumesInfo" inType="win:UnicodeString" outType="xs:string"/>
   <data name="DetailedHRESULT" inType="win:UInt32" outType="xs:unsignedInt"/>
   <data name="SourceSnapStartTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="SourceSnapEndTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="PrepareBackupStartTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="PrepareBackupEndTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="BackupWriteStartTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="BackupWriteEndTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="TargetSnapStartTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="TargetSnapEndTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="DVDFormatStartTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="DVDFormatEndTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="MediaVerifyStartTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="MediaVerifyEndTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="BackupPreviousState" inType="win:Int32" outType="xs:int"/>
   <data name="ComponentStatus" inType="win:UnicodeString" outType="xs:string"/>
   <data name="SSBEnumerateStartTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="SSBEnumerateEndTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="SSBVhdCreationStartTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="SSBVhdCreationEndTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="SSBBackupStartTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="SSBBackupEndTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="SystemStateBackup" inType="win:UnicodeString" outType="xs:string"/>
   <data name="BMR" inType="win:Boolean" outType="xs:boolean"/>
   <data name="VssFullBackup" inType="win:Boolean" outType="xs:boolean"/>
   <data name="UserInputBMR" inType="win:Boolean" outType="xs:boolean"/>
   <data name="UserInputSSB" inType="win:Boolean" outType="xs:boolean"/>
   <data name="BackupSuccessLogPath" inType="win:UnicodeString" outType="xs:string"/>
   <data name="BackupFailureLogPath" inType="win:UnicodeString" outType="xs:string"/>
   <data name="EnumerateBackupStartTime" inType="win:UnicodeString"           outType="xs:string"/>
   <data name="EnumerateBackupEndTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="PruneBackupStartTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="PruneBackupEndTime" inType="win:UnicodeString" outType="xs:string"/>
</template>

扩展相关事件会获取数据

$event2 | Select-Object -ExpandProperty properties

Value
-----
8ff4875f-defb-4f0c-bfda-8ab38fc58f07
0
14
IT-BTes 2012_07_26 08:05 DISK_01
1
1/08/2012 10:30:02 AM
0
<VolumeInfo><VolumeInfoItem Name="E:" OriginalAccessPath="E:" State="14" HResult="0"     DetailedHResult="0" PreviousState="9" IsCritical
0
1/08/2012 10:30:02 AM
1/08/2012 10:30:05 AM
<TimesList><Time Time="2012-08-01T00:30:07.234Z" /></TimesList>
<TimesList><Time Time="2012-08-01T00:30:07.234Z" /></TimesList>
<TimesList><Time Time="2012-08-01T00:30:07.234Z" /></TimesList>
<TimesList><Time Time="2012-08-01T00:30:07.906Z" /></TimesList>
1/08/2012 10:30:09 AM
1/08/2012 10:30:09 AM
<TimesList></TimesList>
<TimesList></TimesList>
<TimesList></TimesList>
<TimesList></TimesList>
11
<ComponentStatus></ComponentStatus>
1/01/1601 11:00:00 AM
1/01/1601 11:00:00 AM
1/01/1601 11:00:00 AM
1/01/1601 11:00:00 AM
1/01/1601 11:00:00 AM
1/01/1601 11:00:00 AM
<SystemState IsPresent="0" HResult="0" DetailedHResult="0" />
False
False
False
False


<TimesList><Time Time="1601-01-01T00:00:00.000Z" /></TimesList>
<TimesList><Time Time="1601-01-01T00:00:00.000Z" /></TimesList>
<TimesList><Time Time="1601-01-01T00:00:00.000Z" /></TimesList>
<TimesList><Time Time="1601-01-01T00:00:00.000Z" /></TimesList>

1 个答案:

答案 0 :(得分:1)

试试吧:

$a = [xml]$event2.toxml()
$a.Event.EventData.Data
$guid = $a.Event.EventData.Data | where {$_.name -eq "BackupTemplateID"}
$guid.InnerText