EventLogPropertySelector 不从 PowerShell 中的事件对象返回扩展数据
EventLogPropertySelector Not Returning Extended Data From Event Object In PowerShell
我的短期目标是从名为 Microsoft-Windows-TerminalServices-**LocalSessionManager/Operational 的日志中收集提供者 Microsoft-Windows-TerminalServices-LocalSessionManager 的事件 ID 40 和 42,然后根据 Session/SessionID 对它们进行排序。虽然我可以尝试解析消息 属性,但我正在尝试使用 EventLogRecord 的 GetPropertyValues 方法,该方法采用 System.Diagnostics.Eventing.Reader.EventLogPropertySelector参数。此外,对于事件 40 的消息,会话 ID 首先显示为“会话”,对于事件 41 的消息显示为第二个标记为“会话 ID”。
姓名
会员类型
定义
获取属性值
方法
System.Collections.Generic.IList[System.Object]
我看到在 2018 年 and 都给出了如何执行此操作的答案。按照他们的例子,我查看了事件提供者的事件模板。
(Get-WinEvent -ListProvider Microsoft-Windows-TerminalServices-LocalSessionManager).Events|Where-object{@(40,42) -contains $_.ID}
Id : 40
Version : 0
LogLink : System.Diagnostics.Eventing.Reader.EventLogLink
Level : System.Diagnostics.Eventing.Reader.EventLevel
Opcode : System.Diagnostics.Eventing.Reader.EventOpcode
Task : System.Diagnostics.Eventing.Reader.EventTask
Keywords : {}
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="Session" inType="win:UInt32" outType="xs:unsignedInt"/>
<data name="Reason" inType="win:UInt32" outType="xs:unsignedInt"/>
</template>
Description : Session %1 has been disconnected, reason code %2
Id : 42
Version : 0
LogLink : System.Diagnostics.Eventing.Reader.EventLogLink
Level : System.Diagnostics.Eventing.Reader.EventLevel
Opcode : System.Diagnostics.Eventing.Reader.EventOpcode
Task : System.Diagnostics.Eventing.Reader.EventTask
Keywords : {}
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="User" inType="win:UnicodeString" outType="xs:string"/>
<data name="SessionID" inType="win:UInt32" outType="xs:unsignedInt"/>
</template>
Description : End session arbitration:
User: %1
Session ID: %2
作为测试,我创建了以下内容以尝试从事件 ID 42 获取会话 ID:
$strComputerName='PMV-SC01'
<# For those wanting to build xmlFilters try something like the following as it allow you to create them more dynamically
$xmlFilterBase=[xml]'<QueryList><Query Id="0"></Query></QueryList>'
## in a loop ##
$xmlSelect=$xmlFilter.CreateElement("Select")
$xmlSelect.SetAttribute("Path","$Logname")
$xmlSelect.set_InnerText("*[System[$($ProviderName)TimeCreated[@SystemTime>='$StartTime' and @SystemTime<='$EndTime']]]")
$xmlFilter.QueryList.Query.AppendChild($xmlSelect)|Out-Null
$xmlSelect=$Null
## end loop ##
#>
#I used the filter below to simplify the testing.
$xmlFilter=@"
<QueryList><Query Id="0" Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"><Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">*[System[TimeCreated[@SystemTime>='2021-06-28T22:00:00.000Z' and @SystemTime<='2021-06-28T23:00:00.000Z']]]</Select></Query></QueryList>
"@
$WinEvents=Get-WinEvent -ComputerName $strComputerName -FilterXml $xmlFilter -Oldest|Where-object{$_.Id -eq 42}
$WinEvents.count
# output is 10
$SelectorStrings= [String[]]@(
'Event/EventData/Data[@name="SessionID"]'
)
$PropertySelector= [System.Diagnostics.Eventing.Reader.EventLogPropertySelector]::new($SelectorStrings)
$WinEvents|ForEach-Object{$TheSessionIds=@();$TheSessionIds+=$_.GetPropertyValues($PropertySelector)}
$TheSessionIds.count
#output is 1
# All of the follow also return nothing:
$WinEvents[1].GetPropertyValues($PropertySelector)
$WinEvents.GetPropertyValues($PropertySelector)
WinEvent=$WinEvents[0]
WinEvent.GetPropertyValues($PropertySelector)
没有错误信息。 GetPropertyValues() 方法 returns 什么都没有。
PowerShell 版本:5.1.14393.2457
Windows
版本
版本
OS 构建
Windows
服务器 2016 标准版
1607
14393.2457
我的长期目标是生成类似于以下输出的内容。此 post 上的请求有助于从 GetPropertyValues 方法中获取值。我也想在其他项目中使用这种方法。
会话ID
用户
创建时间
编号
代码
12
MYDOMAIN\User.姓名
2021-06-28 07:35:54.4321
42
12
2021-06-28 15:35:54.4321
40
0
13
MYDOMAIN\Other.用户
2021-06-28 11:12:44.1234
42
13
2021-06-28 13:01:12.5678
40
0
如果您检查示例 XML 记录,您可以看到节点的路径不在 /EventData/Data 下。这花了一些时间,但这对我来说很完美。
$xmlFilter = @"
<QueryList>
<Query Id="0" Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">
<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">*[System[(EventID=40 or EventID=42)]]</Select>
</Query>
</QueryList>
"@
$SelectorStrings= [String[]]@(
'Event/UserData/EventXML/User',
'Event/UserData/EventXML/Session',
'Event/UserData/EventXML/Reason'
)
Get-WinEvent -FilterXml $xmlFilter | ForEach-Object {
switch ($_.id){
40 {$SelectorStrings[1] = 'Event/UserData/EventXML/Session'}
42 {$SelectorStrings[1] = 'Event/UserData/EventXML/SessionID'}
}
$PropertySelector= [System.Diagnostics.Eventing.Reader.EventLogPropertySelector]::new($SelectorStrings)
$user,$sessionID,$reason = $_.GetPropertyValues($PropertySelector)
[PSCustomObject]@{
SessionID = $sessionID
User = $user
TimeCreated = $_.TimeCreated
ID = $_.ID
Code = $reason
}
}
我的短期目标是从名为 Microsoft-Windows-TerminalServices-**LocalSessionManager/Operational 的日志中收集提供者 Microsoft-Windows-TerminalServices-LocalSessionManager 的事件 ID 40 和 42,然后根据 Session/SessionID 对它们进行排序。虽然我可以尝试解析消息 属性,但我正在尝试使用 EventLogRecord 的 GetPropertyValues 方法,该方法采用 System.Diagnostics.Eventing.Reader.EventLogPropertySelector参数。此外,对于事件 40 的消息,会话 ID 首先显示为“会话”,对于事件 41 的消息显示为第二个标记为“会话 ID”。
| 姓名 | 会员类型 | 定义 |
|---|---|---|
| 获取属性值 | 方法 | System.Collections.Generic.IList[System.Object] |
我看到在 2018 年
(Get-WinEvent -ListProvider Microsoft-Windows-TerminalServices-LocalSessionManager).Events|Where-object{@(40,42) -contains $_.ID}
Id : 40
Version : 0
LogLink : System.Diagnostics.Eventing.Reader.EventLogLink
Level : System.Diagnostics.Eventing.Reader.EventLevel
Opcode : System.Diagnostics.Eventing.Reader.EventOpcode
Task : System.Diagnostics.Eventing.Reader.EventTask
Keywords : {}
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="Session" inType="win:UInt32" outType="xs:unsignedInt"/>
<data name="Reason" inType="win:UInt32" outType="xs:unsignedInt"/>
</template>
Description : Session %1 has been disconnected, reason code %2
Id : 42
Version : 0
LogLink : System.Diagnostics.Eventing.Reader.EventLogLink
Level : System.Diagnostics.Eventing.Reader.EventLevel
Opcode : System.Diagnostics.Eventing.Reader.EventOpcode
Task : System.Diagnostics.Eventing.Reader.EventTask
Keywords : {}
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="User" inType="win:UnicodeString" outType="xs:string"/>
<data name="SessionID" inType="win:UInt32" outType="xs:unsignedInt"/>
</template>
Description : End session arbitration:
User: %1
Session ID: %2
作为测试,我创建了以下内容以尝试从事件 ID 42 获取会话 ID:
$strComputerName='PMV-SC01'
<# For those wanting to build xmlFilters try something like the following as it allow you to create them more dynamically
$xmlFilterBase=[xml]'<QueryList><Query Id="0"></Query></QueryList>'
## in a loop ##
$xmlSelect=$xmlFilter.CreateElement("Select")
$xmlSelect.SetAttribute("Path","$Logname")
$xmlSelect.set_InnerText("*[System[$($ProviderName)TimeCreated[@SystemTime>='$StartTime' and @SystemTime<='$EndTime']]]")
$xmlFilter.QueryList.Query.AppendChild($xmlSelect)|Out-Null
$xmlSelect=$Null
## end loop ##
#>
#I used the filter below to simplify the testing.
$xmlFilter=@"
<QueryList><Query Id="0" Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"><Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">*[System[TimeCreated[@SystemTime>='2021-06-28T22:00:00.000Z' and @SystemTime<='2021-06-28T23:00:00.000Z']]]</Select></Query></QueryList>
"@
$WinEvents=Get-WinEvent -ComputerName $strComputerName -FilterXml $xmlFilter -Oldest|Where-object{$_.Id -eq 42}
$WinEvents.count
# output is 10
$SelectorStrings= [String[]]@(
'Event/EventData/Data[@name="SessionID"]'
)
$PropertySelector= [System.Diagnostics.Eventing.Reader.EventLogPropertySelector]::new($SelectorStrings)
$WinEvents|ForEach-Object{$TheSessionIds=@();$TheSessionIds+=$_.GetPropertyValues($PropertySelector)}
$TheSessionIds.count
#output is 1
# All of the follow also return nothing:
$WinEvents[1].GetPropertyValues($PropertySelector)
$WinEvents.GetPropertyValues($PropertySelector)
WinEvent=$WinEvents[0]
WinEvent.GetPropertyValues($PropertySelector)
没有错误信息。 GetPropertyValues() 方法 returns 什么都没有。 PowerShell 版本:5.1.14393.2457
| Windows | 版本 | 版本 | OS 构建 |
|---|---|---|---|
| Windows | 服务器 2016 标准版 | 1607 | 14393.2457 |
我的长期目标是生成类似于以下输出的内容。此 post 上的请求有助于从 GetPropertyValues 方法中获取值。我也想在其他项目中使用这种方法。
| 会话ID | 用户 | 创建时间 | 编号 | 代码 |
|---|---|---|---|---|
| 12 | MYDOMAIN\User.姓名 | 2021-06-28 07:35:54.4321 | 42 | |
| 12 | 2021-06-28 15:35:54.4321 | 40 | 0 | |
| 13 | MYDOMAIN\Other.用户 | 2021-06-28 11:12:44.1234 | 42 | |
| 13 | 2021-06-28 13:01:12.5678 | 40 | 0 |
如果您检查示例 XML 记录,您可以看到节点的路径不在 /EventData/Data 下。这花了一些时间,但这对我来说很完美。
$xmlFilter = @"
<QueryList>
<Query Id="0" Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">
<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">*[System[(EventID=40 or EventID=42)]]</Select>
</Query>
</QueryList>
"@
$SelectorStrings= [String[]]@(
'Event/UserData/EventXML/User',
'Event/UserData/EventXML/Session',
'Event/UserData/EventXML/Reason'
)
Get-WinEvent -FilterXml $xmlFilter | ForEach-Object {
switch ($_.id){
40 {$SelectorStrings[1] = 'Event/UserData/EventXML/Session'}
42 {$SelectorStrings[1] = 'Event/UserData/EventXML/SessionID'}
}
$PropertySelector= [System.Diagnostics.Eventing.Reader.EventLogPropertySelector]::new($SelectorStrings)
$user,$sessionID,$reason = $_.GetPropertyValues($PropertySelector)
[PSCustomObject]@{
SessionID = $sessionID
User = $user
TimeCreated = $_.TimeCreated
ID = $_.ID
Code = $reason
}
}