我正在使用get-eventlog提取和过滤系统事件日志数据。我发现get-event日志不能正确返回与某些条目相关的消息。这些条目通常出现在事件日志查看器中。例如
get-eventlog -logname system | ? { $_.source -eq "Microsoft-Windows-Kernel-General" }
返回8个条目,它们都有如下形式的消息:
The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-General' cannot be found.
The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.
The following information is part of the event:'6', '1', '7601', '18798', '1', '0', '2015-06-13T08:33:32.359599800Z'
如果我过滤相同源的系统事件日志,我可以清楚地看到完整格式的消息。如
The operating system started at system time 2015-06-13T08:33:32.359599800Z.
我运行以下命令查看是否有其他提供程序无法返回有效的事件消息:
get-eventlog -LogName system | ? { $_.Message -like "The description for Event ID*" } | Group-Object -Property Source | Select-Object -Property Name
Name
----
Microsoft-Windows-Kernel-General
DCOM
WinRM
Microsoft-Windows-Iphlpsvc
我检查了事件日志查看器,找到DCOM, WinRM和iphpsvc源的相应条目,并确认正确的消息是可见的。
我已经在管理员级别的PowerShell控制台中运行了测试脚本。
任何想法?
编辑:进一步的研究表明,PsLogList似乎也有同样的问题,而WEVTUTIL没有。
编辑:根据windows的建议,我尝试了get-winevent。我以前尝试过,发现它根本不会返回任何Message数据。我又试了一次,结果还是一样。然后我尝试了Get-WinEvent -ProviderName "Microsoft-Windows-Kernel-General"
产生以下错误
Could not retrieve information about the Microsoft-Windows-Kernel-General provider. Error: The locale specific resource for the desired message is not present.
我用谷歌搜索了一下"https://p0w3rsh3ll.wordpress.com/2013/12/13/why-does-my-get-winevent-command-fail/",他也遇到了同样的错误信息。他认为这是由地区环境造成的。我在澳大利亚,所以我在控制面板中的"格式"设置为"英语(澳大利亚)"。我将其更改为"English (United States)",启动了一个新的PS控制台,与get-culture确认我现在在美国,并重新运行get-winevent命令。
Get-WinEvent -ProviderName "Microsoft-Windows-Kernel-General" | select-object -property Message
你看…
Message
-------
The system time has changed to ?2015?-?07?-?12T01:06:52.405000000Z from ?2015?-?07?-?12T01:05:51.764208900Z.
The system time has changed to ?2015?-?07?-?12T01:05:09.671000000Z from ?2015?-?07?-?12T01:04:09.226010500Z.
The system time has changed to ?2015?-?07?-?12T01:03:49.119000000Z from ?2015?-?07?-?12T01:02:48.060593100Z.
The system time has changed to ?2015?-?07?-?12T01:02:32.128000000Z from ?2015?-?07?-?12T01:01:29.610105600Z.
The system time has changed to ?2015?-?06?-?13T08:41:12.267000000Z from ?2015?-?06?-?13T08:41:12.404273100Z.
The operating system started at system time ?2015?-?06?-?13T08:33:32.359599800Z.
The operating system is shutting down at system time ?2015?-?06?-?13T08:33:05.091743100Z.
The system time has changed to ?2015?-?06?-?13T08:32:58.947000000Z from ?2015?-?06?-?13T08:32:58.947959900Z.
遗憾的是,get-eventlog没有变化
get-eventlog -logname system | ? { $_.Source -eq "microsoft-windows-kernel-general" } | select-object -property Message
Message
-------
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer ...
The description for Event ID '13' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer ...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found. The local computer m...
不确定如何或为什么,但看起来如果你选择Get-WinEvent而不是Get-EventLog,你会得到你想要的信息。
应该注意的是,当更改命令时,'Source'参数被称为'ProviderName',所以你的命令变成:
Get-WinEvent -LogName System | Where { $_.ProviderName -eq 'Microsoft-Windows-Kernel-General' }