从 Windows 日志导出严重、警告和错误事件
Export Critical, Warning and Errors events from Windows Logs
我正在使用此处的大部分脚本。https://kb.webspy.com/s/article/windows-event-logs-and-powershell
但是,我想知道是否有办法只导出关键、警告和错误事件。我知道那些事件级别是 1-3
Get-WinEvent -FilterHashTable @{LogName = "System"; Level=1,2,3; StartTime=((Get-Date).AddDays(-7))} -ComputerName "server1" #| Out-GridView
我只是想知道在哪里将关卡添加到这个脚本中。
# Logs to extract from server
$logArray = @("System","Security","Application")
# Grabs the server name to append to the log file extraction
$servername = $env:computername
# Provide the path with ending "\" to store the log file extraction.
$destinationpath = "C:\WindowsEventLogs\"
# Checks the last character of the destination path. If it does not end in '\' it adds one.
# '.+?\$' +? means any character \ is looking for the backslash $ is the end of the line charater
if ($destinationpath -notmatch '.+?\$')
{
$destinationpath += '\'
}
# If the destination path does not exist it will create it
if (!(Test-Path -Path $destinationpath))
{
New-Item -ItemType directory -Path $destinationpath
}
# Get the current date in YearMonthDay format
$logdate = Get-Date -format yyyyMMddHHmm
# Start Process Timer
$StopWatch = [system.diagnostics.stopwatch]::startNew()
# Start Code
Clear-Host
Foreach($log in $logArray)
{
# If using Clear and backup
$destination = $destinationpath + $servername + "-" + $log + "-" + $logdate + ".evtx"
Write-Host "Extracting the $log file now."
# Extract each log file listed in $logArray from the local server.
wevtutil epl $log $destination
}
# End Code
# Stop Timer
$StopWatch.Stop()
$TotalTime = $StopWatch.Elapsed.TotalSeconds
$TotalTime = [math]::Round($totalTime, 2)
write-host "The Script took $TotalTime seconds to execute."
代码似乎是关于事件日志的using wevtutil to retrieve information。
wevtutil epl $log $destination
根据文档 wevtutil 也接受 different options 其中之一是 /q:<Query>.
Defines the XPath query to filter the events that are read or
exported. If this option is not specified, all events will be returned
or exported. This option is not available when /sq is true.
因此您可以根据事件级别
创建Xpath query to apply filter
wevtutil epl $log $destination /q:"*[System[(Level=1 or Level=2 or Level=3)]]"
我正在使用此处的大部分脚本。https://kb.webspy.com/s/article/windows-event-logs-and-powershell
但是,我想知道是否有办法只导出关键、警告和错误事件。我知道那些事件级别是 1-3
Get-WinEvent -FilterHashTable @{LogName = "System"; Level=1,2,3; StartTime=((Get-Date).AddDays(-7))} -ComputerName "server1" #| Out-GridView
我只是想知道在哪里将关卡添加到这个脚本中。
# Logs to extract from server
$logArray = @("System","Security","Application")
# Grabs the server name to append to the log file extraction
$servername = $env:computername
# Provide the path with ending "\" to store the log file extraction.
$destinationpath = "C:\WindowsEventLogs\"
# Checks the last character of the destination path. If it does not end in '\' it adds one.
# '.+?\$' +? means any character \ is looking for the backslash $ is the end of the line charater
if ($destinationpath -notmatch '.+?\$')
{
$destinationpath += '\'
}
# If the destination path does not exist it will create it
if (!(Test-Path -Path $destinationpath))
{
New-Item -ItemType directory -Path $destinationpath
}
# Get the current date in YearMonthDay format
$logdate = Get-Date -format yyyyMMddHHmm
# Start Process Timer
$StopWatch = [system.diagnostics.stopwatch]::startNew()
# Start Code
Clear-Host
Foreach($log in $logArray)
{
# If using Clear and backup
$destination = $destinationpath + $servername + "-" + $log + "-" + $logdate + ".evtx"
Write-Host "Extracting the $log file now."
# Extract each log file listed in $logArray from the local server.
wevtutil epl $log $destination
}
# End Code
# Stop Timer
$StopWatch.Stop()
$TotalTime = $StopWatch.Elapsed.TotalSeconds
$TotalTime = [math]::Round($totalTime, 2)
write-host "The Script took $TotalTime seconds to execute."
代码似乎是关于事件日志的using wevtutil to retrieve information。
wevtutil epl $log $destination
根据文档 wevtutil 也接受 different options 其中之一是 /q:<Query>.
Defines the XPath query to filter the events that are read or exported. If this option is not specified, all events will be returned or exported. This option is not available when /sq is true.
因此您可以根据事件级别
创建Xpath query to apply filterwevtutil epl $log $destination /q:"*[System[(Level=1 or Level=2 or Level=3)]]"