从 EventLog 消息中提取一句话
Extract one sentence from an EventLog message
尝试只读取一系列事件中的一小部分消息。无法获得良好的输出。
我的脚本(假设所有变量都已正确设置,我能够收集到正确的事件等):
$Events = Get-WinEvent -ComputerName $Server -FilterHashtable @{LogName=$LogName;
StartTime=$StartTime} -ErrorAction SilentlyContinue
| Where-Object {$_.message -match "$Keyword1|$Keyword2"}
foreach ($Event in $Events)
{
$InStuff = $Event.Message
$InStuff = $InStuff.Split("`n").Trim("`r")
$Null = $InStuff.Where({$_ -match '<Message>(?<EventMessage>.+)</Message>'})
$EventMessage = $Matches.EventMessage
$Null = $InStuff.Where({$_ -match '\[Key\] : (?<EventKey>.+)'})
$EventKey = $Matches.EventKey
$EventXML = [xml]$Event.ToXml()
$EventArray = New-Object -TypeName PSObject -Property @{
EventID = $Event.Id
EventTime = $Event.TimeCreated
EventProvider = $Event.ProviderName
EventLog = $Event.LogName
EventMessage = $EventMessage
EventKey = $EventKey
}
$EventArray | Select EventTime,EventLog,EventProvider,EventID,EventMessage,EventKey
}
结果(注意,EventMessage 为空):
EventTime : 7/30/2018 3:43:54 PM
EventLog : CCS
EventProvider : CCS Logging
EventID : 100
EventMessage :
EventKey : R-MD
但是...如果在我的脚本中我这样做(手动粘贴日志的摘录):
$InStuff = @'
Timestamp: 7/30/2018 3:43:54 PM
Message: <Description>An exception has been detected.</Description>
<DateTime>2018-07-30 11:43:54Z</DateTime>
<Message>Exception Message:No category found for key = R-MD.</Message>
[Key] : R-MD
[LocaleId] : 1033
'@
而不是这个:
$InStuff = $Event.Message
然后我得到了一个好的结果:
EventTime : 7/30/2018 3:43:54 PM
EventLog : CCS
EventProvider : CCS Logging
EventID : 100
EventMessage : Exception Message:No category found for key = R-MD.
EventKey : R-MD
如果有帮助,$Event.Message.GetType() & $Event.Message[0].GetType() 会产生以下结果:
True | True | String | System.Object
True | True | Char | System.ValueType
基本上,回顾一下,我需要:
$Event.Message<Message> 和 </Message> 标签之间的任何内容
- 无论
[Key] : 的值是什么(一个句子或 3-4 个字符)
这两个东西似乎都存在于 $Event.Message 中。
我的实际日志中可能包含多个不同的内容,因此特别针对 X 字符进行拆分等不是一个选项,到目前为止我所管理的是 Reddit 上一些海报的帮助或互联网一般。我尝试了各种 RegEx 组合,但发现无济于事,而且我似乎无法理解如何使用 RegEx。
我花了 12 小时的大部分时间只是为了让他的输出正确...我不知所措。
请帮忙!
=====================
编辑:下面是根据请求导出的事件:
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Diagnostics.Eventing.Reader.EventLogRecord</T>
<T>System.Diagnostics.Eventing.Reader.EventRecord</T>
<T>System.Object</T>
</TN>
<ToString>System.Diagnostics.Eventing.Reader.EventLogRecord</ToString>
<Props>
<I32 N="Id">100</I32>
<Nil N="Version" />
<I32 N="Qualifiers">0</I32>
<By N="Level">4</By>
<I32 N="Task">0</I32>
<Nil N="Opcode" />
<I64 N="Keywords">36028797018963968</I64>
<I64 N="RecordId">4824</I64>
<S N="ProviderName">CCS LOGGING</S>
<Nil N="ProviderId" />
<S N="LogName">CCS</S>
<Nil N="ProcessId" />
<Nil N="ThreadId" />
<S N="MachineName">Test</S>
<Nil N="UserId" />
<DT N="TimeCreated">2018-08-03T11:57:53-04:00</DT>
<Nil N="ActivityId" />
<Nil N="RelatedActivityId" />
<S N="ContainerLog">ccs</S>
<Obj N="MatchedQueryIds" RefId="1">
<TN RefId="1">
<T>System.UInt32[]</T>
<T>System.Array</T>
<T>System.Object</T>
</TN>
<LST />
</Obj>
<Obj N="Bookmark" RefId="2">
<TN RefId="2">
<T>System.Diagnostics.Eventing.Reader.EventBookmark</T>
<T>System.Object</T>
</TN>
<ToString>System.Diagnostics.Eventing.Reader.EventBookmark</ToString>
</Obj>
<S N="LevelDisplayName">Information</S>
<S N="OpcodeDisplayName">Info</S>
<Nil N="TaskDisplayName" />
<Obj N="KeywordsDisplayNames" RefId="3">
<TN RefId="3">
<T>System.Collections.ObjectModel.ReadOnlyCollection`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</T>
<T>System.Object</T>
</TN>
<LST>
<S>Classic</S>
</LST>
</Obj>
<Obj N="Properties" RefId="4">
<TN RefId="4">
<T>System.Collections.Generic.List`1[[System.Diagnostics.Eventing.Reader.EventProperty, System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</T>
<T>System.Object</T>
</TN>
<LST>
<Obj RefId="5">
<TN RefId="5">
<T>System.Diagnostics.Eventing.Reader.EventProperty</T>
<T>System.Object</T>
</TN>
<ToString>System.Diagnostics.Eventing.Reader.EventProperty</ToString>
<Props>
<S N="Value">Timestamp: 8/3/2018 3:57:53 PM_x000D__x000A_Message: <Exception handlingInstanceId="7bdbceed-ef96-4f0d-985a-88f7c8641661">_x000D__x000A_ <DateTime>2018-08-03 11:57:53Z</DateTime>_x000D__x000A_ <Message>Exception Message Key:RDKEYNF_x000D__x000A_Exception Message:No record found in ApplicationLabels category for key = R-MD, Locale = 1033, Filter = Active, and EffectiveDate = 8/3/2018.</Message>_x000D__x000A_ <Source>AFS</Source>_x000D__x000A_ <HelpLink />_x000D__x000A_ <Property name="Parameters">_x000D__x000A_[CategoryName] : ApplicationLabels_x000D__x000A_[Key] : R-MD_x000D__x000A_[LocaleId] : 1033_x000D__x000A_</S>
</Props>
</Obj>
</LST>
</Obj>
</Props>
<MS>
<S N="Message">Timestamp: 8/3/2018 3:57:53 PM_x000D__x000A_Message: <Exception handlingInstanceId="7bdbceed-ef96-4f0d-985a-88f7c8641661">_x000D__x000A_ <DateTime>2018-08-03 11:57:53Z</DateTime>_x000D__x000A_ <Message>Exception Message Key:RDKEYNF_x000D__x000A_Exception Message:No record found in ApplicationLabels category for key = R-MD, Locale = 1033, Filter = Active, and EffectiveDate = 8/3/2018.</Message>_x000D__x000A_ <Source>AFS</Source>_x000D__x000A_ <HelpLink />_x000D__x000A_ <Property name="Parameters">_x000D__x000A_[CategoryName] : ApplicationLabels_x000D__x000A_[Key] : R-MD_x000D__x000A_[LocaleId] : 1033_x000D__x000A_</S>
</MS>
</Obj>
</Objs>
运行 这个班轮让我从 $InStuff:
得到 <Message></Message> 之间的值
[regex]::matches($InStuff,'<Message>(.*?)<\/Message>').value.Replace("<Message>","")
.Replace("</Message>","").Trim()
输出:
Exception Message:No category found for key = R-MD.
对于 [Key] 值:
[regex]::matches($InStuff,'(?<=\[Key\]).*').value.Replace(":","").Trim()
输出:
R-MD
一个了解正则表达式的好网站是:https://regex101.com/,它们解释了正则表达式的每个部分在测试字符串上的作用。
尝试只读取一系列事件中的一小部分消息。无法获得良好的输出。
我的脚本(假设所有变量都已正确设置,我能够收集到正确的事件等):
$Events = Get-WinEvent -ComputerName $Server -FilterHashtable @{LogName=$LogName;
StartTime=$StartTime} -ErrorAction SilentlyContinue
| Where-Object {$_.message -match "$Keyword1|$Keyword2"}
foreach ($Event in $Events)
{
$InStuff = $Event.Message
$InStuff = $InStuff.Split("`n").Trim("`r")
$Null = $InStuff.Where({$_ -match '<Message>(?<EventMessage>.+)</Message>'})
$EventMessage = $Matches.EventMessage
$Null = $InStuff.Where({$_ -match '\[Key\] : (?<EventKey>.+)'})
$EventKey = $Matches.EventKey
$EventXML = [xml]$Event.ToXml()
$EventArray = New-Object -TypeName PSObject -Property @{
EventID = $Event.Id
EventTime = $Event.TimeCreated
EventProvider = $Event.ProviderName
EventLog = $Event.LogName
EventMessage = $EventMessage
EventKey = $EventKey
}
$EventArray | Select EventTime,EventLog,EventProvider,EventID,EventMessage,EventKey
}
结果(注意,EventMessage 为空):
EventTime : 7/30/2018 3:43:54 PM
EventLog : CCS
EventProvider : CCS Logging
EventID : 100
EventMessage :
EventKey : R-MD
但是...如果在我的脚本中我这样做(手动粘贴日志的摘录):
$InStuff = @'
Timestamp: 7/30/2018 3:43:54 PM
Message: <Description>An exception has been detected.</Description>
<DateTime>2018-07-30 11:43:54Z</DateTime>
<Message>Exception Message:No category found for key = R-MD.</Message>
[Key] : R-MD
[LocaleId] : 1033
'@
而不是这个:
$InStuff = $Event.Message
然后我得到了一个好的结果:
EventTime : 7/30/2018 3:43:54 PM
EventLog : CCS
EventProvider : CCS Logging
EventID : 100
EventMessage : Exception Message:No category found for key = R-MD.
EventKey : R-MD
如果有帮助,$Event.Message.GetType() & $Event.Message[0].GetType() 会产生以下结果:
True | True | String | System.Object
True | True | Char | System.ValueType
基本上,回顾一下,我需要:
$Event.Message 的 - 无论
[Key] : 的值是什么(一个句子或 3-4 个字符)
<Message> 和 </Message> 标签之间的任何内容
这两个东西似乎都存在于 $Event.Message 中。
我的实际日志中可能包含多个不同的内容,因此特别针对 X 字符进行拆分等不是一个选项,到目前为止我所管理的是 Reddit 上一些海报的帮助或互联网一般。我尝试了各种 RegEx 组合,但发现无济于事,而且我似乎无法理解如何使用 RegEx。
我花了 12 小时的大部分时间只是为了让他的输出正确...我不知所措。
请帮忙!
=====================
编辑:下面是根据请求导出的事件:
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Diagnostics.Eventing.Reader.EventLogRecord</T>
<T>System.Diagnostics.Eventing.Reader.EventRecord</T>
<T>System.Object</T>
</TN>
<ToString>System.Diagnostics.Eventing.Reader.EventLogRecord</ToString>
<Props>
<I32 N="Id">100</I32>
<Nil N="Version" />
<I32 N="Qualifiers">0</I32>
<By N="Level">4</By>
<I32 N="Task">0</I32>
<Nil N="Opcode" />
<I64 N="Keywords">36028797018963968</I64>
<I64 N="RecordId">4824</I64>
<S N="ProviderName">CCS LOGGING</S>
<Nil N="ProviderId" />
<S N="LogName">CCS</S>
<Nil N="ProcessId" />
<Nil N="ThreadId" />
<S N="MachineName">Test</S>
<Nil N="UserId" />
<DT N="TimeCreated">2018-08-03T11:57:53-04:00</DT>
<Nil N="ActivityId" />
<Nil N="RelatedActivityId" />
<S N="ContainerLog">ccs</S>
<Obj N="MatchedQueryIds" RefId="1">
<TN RefId="1">
<T>System.UInt32[]</T>
<T>System.Array</T>
<T>System.Object</T>
</TN>
<LST />
</Obj>
<Obj N="Bookmark" RefId="2">
<TN RefId="2">
<T>System.Diagnostics.Eventing.Reader.EventBookmark</T>
<T>System.Object</T>
</TN>
<ToString>System.Diagnostics.Eventing.Reader.EventBookmark</ToString>
</Obj>
<S N="LevelDisplayName">Information</S>
<S N="OpcodeDisplayName">Info</S>
<Nil N="TaskDisplayName" />
<Obj N="KeywordsDisplayNames" RefId="3">
<TN RefId="3">
<T>System.Collections.ObjectModel.ReadOnlyCollection`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</T>
<T>System.Object</T>
</TN>
<LST>
<S>Classic</S>
</LST>
</Obj>
<Obj N="Properties" RefId="4">
<TN RefId="4">
<T>System.Collections.Generic.List`1[[System.Diagnostics.Eventing.Reader.EventProperty, System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]</T>
<T>System.Object</T>
</TN>
<LST>
<Obj RefId="5">
<TN RefId="5">
<T>System.Diagnostics.Eventing.Reader.EventProperty</T>
<T>System.Object</T>
</TN>
<ToString>System.Diagnostics.Eventing.Reader.EventProperty</ToString>
<Props>
<S N="Value">Timestamp: 8/3/2018 3:57:53 PM_x000D__x000A_Message: <Exception handlingInstanceId="7bdbceed-ef96-4f0d-985a-88f7c8641661">_x000D__x000A_ <DateTime>2018-08-03 11:57:53Z</DateTime>_x000D__x000A_ <Message>Exception Message Key:RDKEYNF_x000D__x000A_Exception Message:No record found in ApplicationLabels category for key = R-MD, Locale = 1033, Filter = Active, and EffectiveDate = 8/3/2018.</Message>_x000D__x000A_ <Source>AFS</Source>_x000D__x000A_ <HelpLink />_x000D__x000A_ <Property name="Parameters">_x000D__x000A_[CategoryName] : ApplicationLabels_x000D__x000A_[Key] : R-MD_x000D__x000A_[LocaleId] : 1033_x000D__x000A_</S>
</Props>
</Obj>
</LST>
</Obj>
</Props>
<MS>
<S N="Message">Timestamp: 8/3/2018 3:57:53 PM_x000D__x000A_Message: <Exception handlingInstanceId="7bdbceed-ef96-4f0d-985a-88f7c8641661">_x000D__x000A_ <DateTime>2018-08-03 11:57:53Z</DateTime>_x000D__x000A_ <Message>Exception Message Key:RDKEYNF_x000D__x000A_Exception Message:No record found in ApplicationLabels category for key = R-MD, Locale = 1033, Filter = Active, and EffectiveDate = 8/3/2018.</Message>_x000D__x000A_ <Source>AFS</Source>_x000D__x000A_ <HelpLink />_x000D__x000A_ <Property name="Parameters">_x000D__x000A_[CategoryName] : ApplicationLabels_x000D__x000A_[Key] : R-MD_x000D__x000A_[LocaleId] : 1033_x000D__x000A_</S>
</MS>
</Obj>
</Objs>
运行 这个班轮让我从 $InStuff:
得到<Message></Message> 之间的值
[regex]::matches($InStuff,'<Message>(.*?)<\/Message>').value.Replace("<Message>","")
.Replace("</Message>","").Trim()
输出:
Exception Message:No category found for key = R-MD.
对于 [Key] 值:
[regex]::matches($InStuff,'(?<=\[Key\]).*').value.Replace(":","").Trim()
输出:
R-MD
一个了解正则表达式的好网站是:https://regex101.com/,它们解释了正则表达式的每个部分在测试字符串上的作用。