0

我有以下代码枚举所有事件日志源并获取最近几天的错误和警告。

Get-WinEvent -ListLog * -EA silentlycontinue | 
  Where-Object { $_.recordcount } | 
    ForEach-Object { 
      Get-WinEvent -FilterHashTable @{LogName=$_.logname; 
                                      StartTime=(get-date).AddDays(-5) } –MaxEvents 1000 | 
        Where-object {$_.LevelDisplayName -like 'Error' -OR 
                      $_.LevelDisplayName -like 'Warning'} 
    }

它目前按日志名称排序,然后在下面逐行列出所有相关条目。

ProviderName: Microsoft-Windows-DNS-Server-Service
TimeCreated                     Id LevelDisplayName Message                                                                                                                  
-----------                     -- ---------------- -------                                                                                                                  
11/29/2018 9:08:57 AM         4013 Warning          The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of t...
11/28/2018 8:39:35 PM         4015 Error            The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is function...
11/28/2018 8:34:07 PM         4015 Error            The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is function...
11/28/2018 8:28:39 PM         4015 Error            The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is function...
11/28/2018 8:23:11 PM         4015 Error            The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is function...

我想修改代码,以便它继续按日志提供程序名称分组,但在下面我希望它通过计数每个唯一条目来总结。输出将排除日期,但会列出 Id、Level、Message 和一个新的“count”属性,其中列出了 Id 发生的次数。

Count      Id   LevelDisplayName     Message                                                                                                                  
--------  ----  ----------------   ------------------   
4         4015    Error            The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is function...

我无法得到我正在寻找的结果。有什么建议么?

4

1 回答 1

0

我认为这是您想要的大部分内容。我不得不假设您想要每个“日志/提供者”的计数,并且您想要单独计数的警告和错误。我将结果放在自定义对象中,您可以根据需要更改自定义对象。

     $b = Get-WinEvent -ListLog * -EA silentlycontinue | Where-Object { $_.recordcount } 
ForEach ($a in $b) { 
$result = Get-WinEvent -ErrorAction SilentlyContinue -FilterHashTable @{LogName=$a.logname; StartTime=(get-date).AddDays(-5) } –MaxEvents 1000  | where-object {$_.LevelDisplayName -like 'Error' -OR $_.LevelDisplayName -like 'Warning'} 
$id=$result | Select-Object -unique id
$Provider = $result.providerName | select -Unique
    foreach($i in $id) 
    { 
        foreach($p in $Provider)
        {
            ($result | Where-Object{$_.id -eq $i.id})
            $filler=($result | Where-Object{$_.id -eq $i.id})[0] 
            $errorcount = ($result | Where-Object{$_.id -eq $i.id -and $_.leveldisplayname -eq "Error"}).count
            $warningCount = ($result | Where-Object{$_.id -eq $i.id -and $_.leveldisplayname -eq "Warning"}).count
            [pscustomObject]@{
                'Provider' = $p
                'ErrorCount' = $errorcount
                'WarningCount' = $warningCount
                'Id' = $filler.Id
                'Message' = $filler.Message
            }
        }
    }
}
于 2018-11-29T18:25:43.783 回答