我正在使用Xpath使用PowerShells Get-WinEvent过滤Windows事件日志(此问题不仅限于PowerShell,而是XPath问题)
我的输入数据(示例事件)如下
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478- 4994-A5BA-3E3B0328C30D}" />
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2017-08-14T09:03:17.496928900Z" />
<EventRecordID>787185775</EventRecordID>
<Correlation />
<Execution ProcessID="1220" ThreadID="6908" />
<Channel>Security</Channel>
<Computer>MyComputer.MyDomain.Local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3674026133-984544165-2712361304-107629</Data>
<Data Name="SubjectUserName">svc-X</Data>
<Data Name="SubjectDomainName">GROUP</Data>
<Data Name="SubjectLogonId">0x35e0ae72d</Data>
<Data Name="ObjectServer">DS</Data>
<Data Name="ObjectType">%{19195a5b-6da0-11d0-afd3-00c04fd930c9}</Data>
<Data Name="ObjectName">%{38f2636c-4bec-4029-aab6-a2ce69751d1a}</Data>
<Data Name="OperationType">Object Access</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="AccessList">%%7688</Data>
<Data Name="AccessMask">0x100</Data>
<Data Name="Properties">%%7688 {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9}</Data>
<Data Name="AdditionalInfo">-</Data>
<Data Name="AdditionalInfo2" />
</EventData>
</Event>
现在,如果我将以下XPath语句保存到变量$ XpathQuery
$XpathQuery = "*[System[(EventID=4624)] and EventData[(Data`enter code here`[@Name='Properties'] )]]"
使用PowerShell Get-WinEvent cmdlet运行,如下所示
Get-WinEvent -LogName Security -ComputerName MyComputer.MyDomain.Local -FilterXPath $XpathQuery
我得到了我期望的输出,例如我得到了所有4624个事件,其中EventData有一个名为Properties
的属性我想微调我的XPath查询,只选择属性元素包含 文本的条目1131f6aa-9c07-11d1-f79f -00c04fc2dcd2因为我有几百个条目,其中只有少数条目包含1131f6aa-9c07-11d1-f79f-00c04fc2dcd2