我希望使用Powershell来监控特定事件ID的2003和08服务器列表的“安全”日志。到目前为止我已经使用了这个
$servers = gc c:\temp\servers.txt
foreach ($server in $servers)
{
$Query = "SELECT * FROM __instanceCreationEvent WHERE TargetInstancISA 'Win32_NTLogEvent' AND TargetInstance.LogFile = 'Security' AND TargetInstance.EventCode = '529' "
Register-WMIEvent -ComputerName $server -Query $Query -sourceIdentifier "$server" -Action
{Write-Host "The following Event ID of 529 has been found in the Security log on $server}
}
但是如何才能获得日志条目的时间戳,如果存在,只能获取最新的时间戳?
答案 0 :(得分:2)
忘记WMI。使用get-eventlog。
[string[]]$Servers = @("server1","server2")
Get-EventLog -LogName Security -ComputerName $Servers -Newest 1 -InstanceId 529 | select EventID,TimeGenerated,MachineName
答案 1 :(得分:0)
保持简单:
$servers = gc c:\temp\servers.txt
foreach ($server in $servers)
{
$events = Get-EventLog -ComputerName $server -LogName "Security" | Where-Object {$_.EventID -eq "529"}
if ($events -ne $null)
{
foreach ($event in $events)
{
$event.TimeGenerated
}
}
}
答案 2 :(得分:0)