我使用get-eventlog提取和过滤系统事件日志数据。我发现的是,get-event日志无法正确返回与某些条目关联的消息。这些条目通常出现在事件日志查看器中。 E.g。
get-eventlog -logname system | ? { $_.source -eq "Microsoft-Windows-Kernel-General" }
返回8个条目,所有条目都有以下格式的消息:
The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-General' cannot be found.
The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.
The following information is part of the event:'6', '1', '7601', '18798', '1', '0', '2015-06-13T08:33:32.359599800Z'
如果我过滤同一来源的系统事件日志,我可以清楚地看到完整格式的消息。例如
The operating system started at system time 2015-06-13T08:33:32.359599800Z.
我运行以下内容以查看是否有其他提供程序无法返回有效的事件消息:
get-eventlog -LogName system | ? { $_.Message -like "The description for Event ID*" } | Group-Object -Property Source | Select-Object -Property Name
Name
----
Microsoft-Windows-Kernel-General
DCOM
WinRM
Microsoft-Windows-Iphlpsvc
我检查了事件日志查看器,找到了DCOM,WinRM和Iphlpsvc源的相应条目,并确认可以看到正确的消息。
我已在管理级PowerShell控制台中运行测试脚本。
有什么想法吗?
编辑:进一步的研究表明,PsLogList似乎也遇到了同样的问题,而WEVTUTIL则没有。编辑:根据Windos的建议,我尝试了get-winevent。我之前尝试过这个,发现它根本不会返回任何消息数据。我再试一次,发现了同样的结果。然后我尝试了
Get-WinEvent -ProviderName "Microsoft-Windows-Kernel-General"
产生了以下错误
Could not retrieve information about the Microsoft-Windows-Kernel-General provider. Error: The locale specific resource for the desired message is not present.
一个小小的谷歌搜索引导我去了https://p0w3rsh3ll.wordpress.com/2013/12/13/why-does-my-get-winevent-command-fail/'谁也遇到过同样的错误信息。他认为这是由于区域设置。我在澳大利亚,所以我的格式'控制面板中的设置是英语(澳大利亚)'。我把它更改为'英语(美国)',启动了一个新的PS控制台,用get-culture
确认我现在在美国并重新运行get-winevent
命令。
Get-WinEvent -ProviderName "Microsoft-Windows-Kernel-General" | select-object -property Message
瞧瞧......
Message
-------
The system time has changed to ?2015?-?07?-?12T01:06:52.405000000Z from ?2015?-?07?-?12T01:05:51.764208900Z.
The system time has changed to ?2015?-?07?-?12T01:05:09.671000000Z from ?2015?-?07?-?12T01:04:09.226010500Z.
The system time has changed to ?2015?-?07?-?12T01:03:49.119000000Z from ?2015?-?07?-?12T01:02:48.060593100Z.
The system time has changed to ?2015?-?07?-?12T01:02:32.128000000Z from ?2015?-?07?-?12T01:01:29.610105600Z.
The system time has changed to ?2015?-?06?-?13T08:41:12.267000000Z from ?2015?-?06?-?13T08:41:12.404273100Z.
The operating system started at system time ?2015?-?06?-?13T08:33:32.359599800Z.
The operating system is shutting down at system time ?2015?-?06?-?13T08:33:05.091743100Z.
The system time has changed to ?2015?-?06?-?13T08:32:58.947000000Z from ?2015?-?06?-?13T08:32:58.947959900Z.
可悲的是 - 没有变化get-eventlog
get-eventlog -logname system | ? { $_.Source -eq "microsoft-windows-kernel-general" } | select-object -property Message
Message
-------
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer ...
The description for Event ID '13' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer ...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
答案 0 :(得分:2)
不确定如何或为何如此,但如果您选择Get-WinEvent
而不是Get-EventLog
,您将会获得您之后的信息。
应该注意的是,在更改命令时,'来源'参数被称为' ProviderName'所以你的命令变为:
Get-WinEvent -LogName System | Where { $_.ProviderName -eq 'Microsoft-Windows-Kernel-General' }