我正在尝试将(事件日志的)对象数组输出到DataTable,期望通过管道传递到SQL。
基本知识是:
输出到数据表
function Get-Type
{
param($type)
$types = @(
'System.Boolean',
'System.Byte[]',
'System.Byte',
'System.Char',
'System.Datetime',
'System.Decimal',
'System.Double',
'System.Guid',
'System.Int16',
'System.Int32',
'System.Int64',
'System.Single',
'System.UInt16',
'System.UInt32',
'System.UInt64')
if ( $types -contains $type ) {
Write-Output "$type"
}
else {
Write-Output 'System.String'
}
} #Get-Type
function Out-DataTable
{
[CmdletBinding()]
param([Parameter(Position=0, Mandatory=$true, ValueFromPipeline = $true)] [PSObject[]]$InputObject)
Begin
{
$dt = new-object Data.datatable
$First = $true
}
Process
{
Write-Output "test"
foreach ($object in $InputObject)
{
$DR = $DT.NewRow()
foreach($property in $object.PsObject.get_properties())
{
if ($first)
{
$Col = new-object Data.DataColumn
$Col.ColumnName = $property.Name.ToString()
if ($property.value)
{
if ($property.value -isnot [System.DBNull]) {
$Col.DataType = [System.Type]::GetType("$(Get-Type $property.TypeNameOfValue)")
}
}
$DT.Columns.Add($Col)
}
if ($property.Gettype().IsArray) {
$DR.Item($property.Name) =$property.value | ConvertTo-XML -AS String -NoTypeInformation -Depth 1
}
else {
$DR.Item($property.Name) = $property.value
}
}
$DT.Rows.Add($DR)
$First = $false
}
}
End
{
Write-Output @(,($dt))
}
} #Out-DataTable
$allEvents = Get-WinEvent -LogName ForwardedEvents | Where-Object{$_.Id -ne 111}
$outEvents = @()
$dt = $null
foreach ($curEvent in $allEvents){
$curObj = $null
switch ($curEvent.ID) {
4624 {
$curObj = New-Object -TypeName PSObject
Add-Member -InputObject $curObj -MemberType NoteProperty -Name TimeCreated -Value ([datetime]$curEvent.TimeCreated)
Add-Member -InputObject $curObj -MemberType NoteProperty -Name Action -Value $curEvent.TaskDisplayName
Add-Member -InputObject $curObj -MemberType NoteProperty -Name MachineName -Value $curEvent.MachineName
Add-Member -InputObject $curObj -MemberType NoteProperty -Name UserName -Value ((($curEvent.Message).Split([Environment]::NewLine)[36]).split(":")[1]).Trim()
Add-Member -InputObject $curObj -MemberType NoteProperty -Name LoginID -Value ((($curEvent.Message).Split([Environment]::NewLine)[40]).split(":")[1]).Trim()
Add-Member -InputObject $curObj -MemberType NoteProperty -Name SourceIP -Value ((($curEvent.Message).Split([Environment]::NewLine)[64]).split(":")[1]).Trim()
Add-Member -InputObject $curObj -MemberType NoteProperty -Name ID -Value $curEvent.Id
Add-Member -InputObject $curObj -MemberType NoteProperty -Name RecordID -Value $curEvent.RecordID
}
4647 {
$curObj = New-Object -TypeName PSObject
Add-Member -InputObject $curObj -MemberType NoteProperty -Name TimeCreated -Value ([datetime]$curEvent.TimeCreated)
Add-Member -InputObject $curObj -MemberType NoteProperty -Name Action -Value $curEvent.TaskDisplayName
Add-Member -InputObject $curObj -MemberType NoteProperty -Name MachineName -Value $curEvent.MachineName
Add-Member -InputObject $curObj -MemberType NoteProperty -Name UserName -Value ((($curEvent.Message).Split([Environment]::NewLine)[8]).split(":")[1]).Trim()
Add-Member -InputObject $curObj -MemberType NoteProperty -Name LoginID -Value ((($curEvent.Message).Split([Environment]::NewLine)[12]).split(":")[1]).Trim()
Add-Member -InputObject $curObj -MemberType NoteProperty -Name SourceIP -Value "Not Available"
Add-Member -InputObject $curObj -MemberType NoteProperty -Name ID -Value $curEvent.Id
Add-Member -InputObject $curObj -MemberType NoteProperty -Name RecordID -Value $curEvent.RecordID
}
4778 {
$curObj = New-Object -TypeName PSObject
Add-Member -InputObject $curObj -MemberType NoteProperty -Name TimeCreated -Value ([datetime]$curEvent.TimeCreated)
Add-Member -InputObject $curObj -MemberType NoteProperty -Name Action -Value "Reconnect"
Add-Member -InputObject $curObj -MemberType NoteProperty -Name MachineName -Value $curEvent.MachineName
Add-Member -InputObject $curObj -MemberType NoteProperty -Name UserName -Value ((($curEvent.Message).Split([Environment]::NewLine)[6]).split(":")[1]).Trim()
Add-Member -InputObject $curObj -MemberType NoteProperty -Name LoginID -Value ((($curEvent.Message).Split([Environment]::NewLine)[10]).split(":")[1]).Trim()
Add-Member -InputObject $curObj -MemberType NoteProperty -Name SourceIP -Value ((($curEvent.Message).Split([Environment]::NewLine)[24]).split(":")[1]).Trim()
Add-Member -InputObject $curObj -MemberType NoteProperty -Name ID -Value $curEvent.Id
Add-Member -InputObject $curObj -MemberType NoteProperty -Name RecordID -Value $curEvent.RecordID
}
4800 {
$curObj = New-Object -TypeName PSObject
Add-Member -InputObject $curObj -MemberType NoteProperty -Name TimeCreated -Value ([datetime]$curEvent.TimeCreated)
Add-Member -InputObject $curObj -MemberType NoteProperty -Name Action -Value "Locked"
Add-Member -InputObject $curObj -MemberType NoteProperty -Name MachineName -Value $curEvent.MachineName
Add-Member -InputObject $curObj -MemberType NoteProperty -Name UserName -Value ((($curEvent.Message).Split([Environment]::NewLine)[8]).split(":")[1]).Trim()
Add-Member -InputObject $curObj -MemberType NoteProperty -Name LoginID -Value ((($curEvent.Message).Split([Environment]::NewLine)[12]).split(":")[1]).Trim()
Add-Member -InputObject $curObj -MemberType NoteProperty -Name SourceIP -Value "Not Available"
Add-Member -InputObject $curObj -MemberType NoteProperty -Name ID -Value $curEvent.Id
Add-Member -InputObject $curObj -MemberType NoteProperty -Name RecordID -Value $curEvent.RecordID
}
Default { }
}
$outEvents += $curObj
}
$outEvents
$dt = Out-DataTable -InputObject $outEvents
运行此命令时,$ outEvents的最后一个输出列出所有具有正确详细信息的事件对象,但是尝试将其插入Out-DataTable返回:
Out-DataTable : Cannot bind argument to parameter 'InputObject' because it is null.
At \\server\scripts\Repository\Write-UserLoginEvent\Write-UserLoginEvent.ps1:140 char:38
+ $dt = Out-DataTable -InputObject $outEvents
+ ~~~~~~~
+ CategoryInfo : InvalidData: (:) [Out-DataTable], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Out-DataTable
我尝试了所有其他格式化数据等方法,但似乎无法获得此函数来接受我的自定义对象数组。
如果我使用诸如“ Get-Process”之类的内置函数,则该函数可以正常工作并返回DataTable,因此我认为它是特定于我要返回的对象。
编辑:在发布此内容之前,我还将DataTable段移动到了循环中,以尝试将每个事件对象作为单独的DataTable打印。希望找出问题所在。它在第一个对象上立即失败。
答案 0 :(得分:0)
所以问题是我遇到了一个未被捕获的事件类型。
由于此事件的格式不正确,所以输出中只有一个事件不适合DataTable结构,从而导致NULL错误。
为了确定问题,我在循环内放置了一个Out-DataTable步骤来分别处理每个对象,在输出中我可以看到除一个对象外,所有对象均成功。追查到那个,我可以发现我没有满足该事件ID(8001)。