【Powershell】检索事件日志

原创

kaedeleo 2024-01-10 17:05:47 博主文章分类：Powershell ©著作权

文章标签 Powershell 文章分类 运维

©著作权归作者所有：来自51CTO博客作者kaedeleo的原创作品，请联系作者获取转载授权，否则将追究法律责任

免费课程：

https://edu.51cto.com/course/35511.html

适合人群：

适合对Powershell和Windows运维感兴趣的学员

你将会学到：

利用Powershell检索日志，筛选日志的方法。

课程简介：

利用Powershell检索日志，筛选日志的方法。

适合对Powershell和Windows运维感兴趣的学员。

本章有三个脚本，注意在筛选时候，时间上的选择比较重要。

本文内容并不复杂，但是实用性很强，比传统的用控制台的方法更方便快捷。

希望对大家有帮助。

所用脚本：

#1.

Get-WinEvent -ListLog * | where {$_.recordcount -ne 0 -and $_.recordcount -ne $null}  | Select-Object LogName, RecordCount, IsClassicLog, IsEnabled, LogMode, LogType | Format-Table -AutoSize

Get-WinEvent -ListLog System | Format-List -Property *

#2.

Get-Date
$StartTime =(Get-Date).AddDays(-1)
$StartTime =(Get-Date).AddMonths(-1)
$StartTime =(Get-Date).AddMinutes(-10)
$StartTime =(Get-Date).Adddays(5) 
$StartTime =(Get-Date).Addhours(5)
$StartTime=[datetime]"2024/1/6 10:16:15 AM" 

$now=Get-Date
$StartTime - $now

#3.

$events='Application','DFS Replication','Directory Service','DNS Server','System','DhcpAdminEvents','Active Directory Web Services'         
$StartTime = (Get-Date).AddDays(-3)
<#
$StartTime =(Get-Date).AddDays(-1)
$StartTime =(Get-Date).Addhours(-24)
$StartTime =(Get-Date).AddMinutes(-10)
$StartTime="2024/1/6 10:16:15 AM"
#>                                                               
$eventresults=foreach($event in $events)
{
write-host "Win-EventFrom:$event" -ForegroundColor Red 
Get-WinEvent -FilterHashtable @{
  Logname=$event
  StartTime=$StartTime
} | where { ($_.LevelDisplayName -eq 'warning') -or ($_.LevelDisplayName -eq 'error') } 
Write-Host 'LastLine' -ForegroundColor Green -BackgroundColor Black
write-host ""
write-host ""
}
$eventresults

$eventresults | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize 

#DHCP
$eventresults | where providername -like "*DHCP*" |  Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize -wrap
$eventresults | where providername -like "*DHCP*" |  Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-List 

$eventresults | where id -eq 1059 | select -First 1 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-List 
$eventresults | where id -eq 1059 | select -First 1 |  Format-List *

#GroupPolicy
$eventresults | where providername -like "*Group*" |  Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize -wrap
$eventresults | where providername -like "*Group*" |  Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-List

$eventresults | where id -eq 1129 | select -First 1 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-List 
$eventresults | where id -eq 1129 | select -First 1 |  Format-List *

#DNS
$eventresults | where providername -like "*DNS*" |  Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize -wrap
$eventresults | where providername -like "*DNS*" |  Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-List

$eventresults | where id -eq 1129 | select -First 1 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-List 
$eventresults | where id -eq 1129 | select -First 1 |  Format-List *