Question

尝试使用wevtutil命令将Windows服务器事件日志导入/读取到文本文件。我使用以下命令将我的日志写入file.txt：

$ wevtutil qe Application \rd:true \f:text（读取应用程序日志）     和我的命令的示例输出是：

Event[1]:
  Log Name: Application
  Source: Microsoft-Windows-Security-SPP
  Date: 2016-03-29T13:02:27.000
  Event ID: 8196
  Task: N/A
  Level: Information
  Opcode: N/A
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: WIN-IONOGQTF9O5
  Description: License Activation Scheduler (sppuinotify.dll)

Event[2]:
  Log Name: Application
  Source: Microsoft-Windows
  Date: 2016-06-29T13:02:57.000
  Event ID: 3444
  Task: N/A
  Level: Critical
  Opcode: N/A
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: WIN-IONOGDFFF9O5
  Description: AIRO.Activation code(sppuinotify.dll)

（实际上，两个样本日志）。但是，我想将我的日志作为单行写入.txt文件，而不是单个日志的上述多行输出。是否有wevtutil command实用程序将日志写入单行，如下所示：

Event[1]:Log Name: Application Source: Microsoft-Windows-Security-SPP Date: 2016-03-29T13:02:27.000 Event ID: 8196 Task: N/A Level: Information Opcode: N/A Keyword: Classic User: N/A  User Name: N/A Computer: WIN-IONOGQTF9O5 Description: License Activation Scheduler (sppuinotify.dll)
Event[2]:Log Name: Application Source: Microsoft-Windows Date: 2016-03-29T13:02:27.000 Event ID: 8196 Task: N/A Level: Information Opcode: N/A Keyword: Classic User: N/A  User Name: N/A Computer: WIN-IONOGQTF9O5 Description: License Activation Scheduler (sppuinotify.dll)

谢谢！

Answer 1

$logname = "Application"    
$events = Get-EventLog -LogName $logname

$arr = @()
$counter = 1

foreach($event in $events){
$arr += "Event[$counter]:Log Name: $logname Source: $($event.Source) Date: $($event.TimeWritten) Event ID: $($event.EventID) Task: $($event.Category) Level: $($event.EntryType) ..."
$counter++
}

$arr | out-file events.txt

如果您需要使用操作码，关键字等，请使用Get-Winevent代替Get-Eventlog

wevtutil查询在单行

1 个答案: