Powershell小技巧之从文件获取系统日志
程序员文章站
2022-03-29 21:41:55
有时你可能会需要分析系统文件将他们传输到硬盘,或你想直接从“evtx”读取系统日志。
你可以这样做:
复制代码 代码如下:
$path = "$env:windir\...
有时你可能会需要分析系统文件将他们传输到硬盘,或你想直接从“evtx”读取系统日志。
你可以这样做:
复制代码 代码如下:
$path = "$env:windir\system32\winevt\logs\setup.evtx"
get-winevent -path $path
另附上一段获取系统日志的代码
复制代码 代码如下:
$starttime = (get-date).date + (new-timespan -hours 6 -minutes 35)
$endtime = (get-date).date + (new-timespan -hours 6 -minutes 36)
$global:taskstart
$global:taskcomplete
$global:events
$global:event
$global:timespent
$global:events = get-winevent -filterhashtable @{logname = "microsoft-windows-taskscheduler/operational"; id=107;starttime=$starttime;endtime=$endtime}
foreach($global:event in $global:events)
{
cls
$startlogs=get-winevent -filterhashtable @{logname = "microsoft-windows-taskscheduler/operational";id=100;starttime=$starttime}
$completelogs=get-winevent -filterhashtable @{logname = "microsoft-windows-taskscheduler/operational";id=102;starttime=$starttime}
$global:taskstart=$startlogs | where {$_.activityid -eq $global:event.activityid}
$global:taskcomplete=$completelogs | where {$_.activityid -eq $global:event.activityid}
$global:timespent=($global:taskcomplete.timecreated-$global:taskstart.timecreated).totalminutes
if(($global:taskstart -ne $null) -and ($global:taskcomplete -ne $null) -and ($global:timespent -gt 1)){
$messagebody="sync task started at: "+$global:taskstart.timecreated.datetime+"`r`n"
$messagebody=$messagebody+"`r`nsync task completed at: "+$global:taskcomplete.timecreated.datetime+"`r`n"
$messagebody=$messagebody+"`r`ntask lasted for "+("{0:n2}" -f ($global:timespent) )+" minutes"
send-mailmessage -from "customerlog@avepoint.com" -to "zhijie.bai@avepoint.com","infrastructure_cn@avepoint.com" -subject "customer logs sync report:success" -body $messagebody -smtpserver "10.100.100.153" -encoding utf8
}
else{
$messagebody="########################################################################`r`n"
$messagebody=$messagebody+"`r`ncustom logs sync failed, please login 10.2.0.125 to check and sync again`r`n"
$messagebody=$messagebody+"`r`n########################################################################`r`n"
send-mailmessage -from "customerlog@avepoint.com" -to "zhijie.bai@avepoint.com","infrastructure_cn@avepoint.com" -subject "customer logs sync report:failed" -body $messagebody -smtpserver "10.100.100.153" -encoding utf8 -priority high
}
}
支持powershell所有版本