powershell - get-winevent 高级属性和提供者 xml 模板

标签 powershell

我正在尝试从 get-winevent 命令中获取一些(高级?)属性。

我正在处理 Windows-Server-Backup 事件。

我可以获得属性的数据和 xml 模板,但我看不到将它们干净地结合在一起的方法。

最终我喜欢有一个结果,我可以有 event.properties.BackupState 或 event.properties.NumOfVolumes 等。

$EventSource = 'Microsoft-Windows-Backup'
$provider = Get-WinEvent -listprovider $EventSource
$ProviderEvent = $provider.events | Where-Object {($_.ID -eq 4) -and ($_.Version -eq 2)}
$ProviderEvent.Template

上面的 block 给了我这个结果;
<template xmlns="http://schemas.microsoft.com/win/2004/08/events">
   <data name="BackupTemplateID" inType="win:GUID" outType="xs:GUID"/>
   <data name="HRESULT" inType="win:UInt32" outType="xs:unsignedInt"/>
   <data name="BackupState" inType="win:Int32" outType="xs:int"/>
   <data name="BackupTarget" inType="win:UnicodeString" outType="xs:string"/>
   <data name="NumOfVolumes" inType="win:UInt32" outType="xs:unsignedInt"/>
   <data name="BackupTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="HRESULT2" inType="win:UInt32" outType="xs:unsignedInt"/>
   <data name="VolumesInfo" inType="win:UnicodeString" outType="xs:string"/>
   <data name="DetailedHRESULT" inType="win:UInt32" outType="xs:unsignedInt"/>
   <data name="SourceSnapStartTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="SourceSnapEndTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="PrepareBackupStartTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="PrepareBackupEndTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="BackupWriteStartTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="BackupWriteEndTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="TargetSnapStartTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="TargetSnapEndTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="DVDFormatStartTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="DVDFormatEndTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="MediaVerifyStartTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="MediaVerifyEndTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="BackupPreviousState" inType="win:Int32" outType="xs:int"/>
   <data name="ComponentStatus" inType="win:UnicodeString" outType="xs:string"/>
   <data name="SSBEnumerateStartTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="SSBEnumerateEndTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="SSBVhdCreationStartTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="SSBVhdCreationEndTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="SSBBackupStartTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="SSBBackupEndTime" inType="win:FILETIME" outType="xs:dateTime"/>
   <data name="SystemStateBackup" inType="win:UnicodeString" outType="xs:string"/>
   <data name="BMR" inType="win:Boolean" outType="xs:boolean"/>
   <data name="VssFullBackup" inType="win:Boolean" outType="xs:boolean"/>
   <data name="UserInputBMR" inType="win:Boolean" outType="xs:boolean"/>
   <data name="UserInputSSB" inType="win:Boolean" outType="xs:boolean"/>
   <data name="BackupSuccessLogPath" inType="win:UnicodeString" outType="xs:string"/>
   <data name="BackupFailureLogPath" inType="win:UnicodeString" outType="xs:string"/>
   <data name="EnumerateBackupStartTime" inType="win:UnicodeString"           outType="xs:string"/>
   <data name="EnumerateBackupEndTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="PruneBackupStartTime" inType="win:UnicodeString" outType="xs:string"/>
   <data name="PruneBackupEndTime" inType="win:UnicodeString" outType="xs:string"/>
</template>

展开相关事件让我得到数据
$event2 | Select-Object -ExpandProperty properties

Value
-----
8ff4875f-defb-4f0c-bfda-8ab38fc58f07
0
14
IT-BTes 2012_07_26 08:05 DISK_01
1
1/08/2012 10:30:02 AM
0
<VolumeInfo><VolumeInfoItem Name="E:" OriginalAccessPath="E:" State="14" HResult="0"     DetailedHResult="0" PreviousState="9" IsCritical
0
1/08/2012 10:30:02 AM
1/08/2012 10:30:05 AM
<TimesList><Time Time="2012-08-01T00:30:07.234Z" /></TimesList>
<TimesList><Time Time="2012-08-01T00:30:07.234Z" /></TimesList>
<TimesList><Time Time="2012-08-01T00:30:07.234Z" /></TimesList>
<TimesList><Time Time="2012-08-01T00:30:07.906Z" /></TimesList>
1/08/2012 10:30:09 AM
1/08/2012 10:30:09 AM
<TimesList></TimesList>
<TimesList></TimesList>
<TimesList></TimesList>
<TimesList></TimesList>
11
<ComponentStatus></ComponentStatus>
1/01/1601 11:00:00 AM
1/01/1601 11:00:00 AM
1/01/1601 11:00:00 AM
1/01/1601 11:00:00 AM
1/01/1601 11:00:00 AM
1/01/1601 11:00:00 AM
<SystemState IsPresent="0" HResult="0" DetailedHResult="0" />
False
False
False
False


<TimesList><Time Time="1601-01-01T00:00:00.000Z" /></TimesList>
<TimesList><Time Time="1601-01-01T00:00:00.000Z" /></TimesList>
<TimesList><Time Time="1601-01-01T00:00:00.000Z" /></TimesList>
<TimesList><Time Time="1601-01-01T00:00:00.000Z" /></TimesList>

最佳答案

你试一试 :

$a = [xml]$event2.toxml()
$a.Event.EventData.Data
$guid = $a.Event.EventData.Data | where {$_.name -eq "BackupTemplateID"}
$guid.InnerText

关于powershell - get-winevent 高级属性和提供者 xml 模板,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/11769004/

上一篇:powershell - 我的程序在IDLE和PyScripter中运行良好,但在PowerShell和命令行中却无法运行

下一篇:Objective-c - 如何将音频文件序列化为可以播放的小数据包?

相关文章:

powershell - 在 PowerShell 脚本中加密 Azure 存储帐户名称和 key

json - 使用 PowerShell 更新 JSON 文件

powershell - 使用凭据在多个服务器上的注册表中更改值

arrays - PowerShell Poker Hand - 构建数组的问题

跨版本的 PowerShell 安装文件夹和脚本文件扩展名

azure - 通过 PowerShell 检索 Azure AD 应用程序的 "API Permissions"

Powershell tr​​y block 在 VSTS 构建上不起作用

powershell - 通过 Powershell 从 zip 中提取某个文件似乎不在子文件夹中查找

powershell - Powershell静默卸载 “Microsoft Report Viewer Runtime 2012”

powershell - Windows Powershell 中 runas/netonly 的等价物是什么?

©2024 IT工具网  联系我们