我正在使用 get-eventlog 提取和过滤系统事件日志数据。我发现 get-event 日志无法正确返回与某些条目关联的消息。这些条目通常出现在事件日志查看器中。例如
get-eventlog -logname system | ? { $_.source -eq "Microsoft-Windows-Kernel-General" }
返回 8 个条目,所有条目都有以下形式的消息:
The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-General' cannot be found.
The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.
The following information is part of the event:'6', '1', '7601', '18798', '1', '0', '2015-06-13T08:33:32.359599800Z'
如果我过滤同一源的系统事件日志,我可以清楚地看到完整的消息。例如
The operating system started at system time 2015-06-13T08:33:32.359599800Z.
我运行以下命令来查看是否有任何其他提供者无法返回有效的事件消息:
get-eventlog -LogName system | ? { $_.Message -like "The description for Event ID*" } | Group-Object -Property Source | Select-Object -Property Name
Name
----
Microsoft-Windows-Kernel-General
DCOM
WinRM
Microsoft-Windows-Iphlpsvc
我检查了事件日志查看器以找到 DCOM、WinRM 和 Iphlpsvc 源的相应条目,并确认可以看到正确的消息。
我已经在管理员级别的 PowerShell 控制台中运行了测试脚本。
有任何想法吗?
编辑:进一步的研究表明 PsLogList 似乎也遇到了同样的问题,而 WEVTUTIL 没有。
编辑:根据 Windos 的建议,我尝试了 get-winevent。我之前尝试过这个,发现它根本不会返回任何消息数据。我再次尝试并发现相同的结果。然后我尝试了
Get-WinEvent -ProviderName "Microsoft-Windows-Kernel-General"
这产生了以下错误
Could not retrieve information about the Microsoft-Windows-Kernel-General provider. Error: The locale specific resource for the desired message is not present.
稍微搜索一下,我就找到了“ https://p0w3rsh3ll.wordpress.com/2013/12/13/why-does-my-get-winevent-command-fail/ ”,他们也遇到了同样的错误消息。他认为这是由于地区环境造成的。我在澳大利亚,所以我在控制面板中的“格式”设置是“英语(澳大利亚)”。我将其更改为“英语(美国)”,启动了新的 PS 控制台,确认get-culture我现在在美国并重新运行get-winevent命令。
Get-WinEvent -ProviderName "Microsoft-Windows-Kernel-General" | select-object -property Message
瞧……
Message
-------
The system time has changed to ?2015?-?07?-?12T01:06:52.405000000Z from ?2015?-?07?-?12T01:05:51.764208900Z.
The system time has changed to ?2015?-?07?-?12T01:05:09.671000000Z from ?2015?-?07?-?12T01:04:09.226010500Z.
The system time has changed to ?2015?-?07?-?12T01:03:49.119000000Z from ?2015?-?07?-?12T01:02:48.060593100Z.
The system time has changed to ?2015?-?07?-?12T01:02:32.128000000Z from ?2015?-?07?-?12T01:01:29.610105600Z.
The system time has changed to ?2015?-?06?-?13T08:41:12.267000000Z from ?2015?-?06?-?13T08:41:12.404273100Z.
The operating system started at system time ?2015?-?06?-?13T08:33:32.359599800Z.
The operating system is shutting down at system time ?2015?-?06?-?13T08:33:05.091743100Z.
The system time has changed to ?2015?-?06?-?13T08:32:58.947000000Z from ?2015?-?06?-?13T08:32:58.947959900Z.
可悲的是 - 没有改变get-eventlog
get-eventlog -logname system | ? { $_.Source -eq "microsoft-windows-kernel-general" } | select-object -property Message
Message
-------
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer ...
The description for Event ID '13' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer ...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...