窗口事件日志命名数据

编程问答 2022-05-31

问题描述

我想为窗口事件日志创建日志条目

<EventData>
  <Data Name="param1">10</Data> 
  <Data Name="param2">20</Data> 
</EventData>

所以我创建了一个 events.man 检测清单,如下所示:

<instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events">

    <instrumentation xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">
        <events>
            <provider name="Myapp"...>
                 ...
                 <templates>
                    <template tid="tid1" name="TriggerSchedule Args">
                        <data name="param1" inType="win:UnicodeString" outType="xs:string" />
                        <data name="param2" inType="win:UnicodeString" outType="xs:string"/>
                    </template>
                </templates>
                 ...
                <events>
                    <event version="1" value="3001" template="tid1" .../>
                </events>
            </provider>
         </events>
    </instrumentation>
    <localization>
    ...
    </localization>
</instrumentationManifest>

然后用命令编译它:

mc.exe -um events.man 
rc.exe events.rc 
link.exe  /dll /noentry /machine:x64 events.res

最后,我正在使用 wevtutil.exe im events.man 来安装它。

使用 python win32evtlogwin32evtlogutil lib 编写日志

win32evtlogutil.ReportEvent(appName='Myapp',eventID=3001,eventCategory=1,eventType=win32evtlog.EVENTLOG_@R_385_4045@ION_TYPE,strings=['10','20])

但它不起作用,事件查看器中的结果是:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
      <Provider Name="Myapp" /> 
      <EventID Qualifiers="45056">3001</EventID> 
      <Level>4</Level> 
      <Task>1</Task> 
      <Keywords>0x80000000000000</Keywords> 
      <TimeCreated SystemTime="2021-01-07T06:27:29.283998600Z" /> 
      <EventRecordID>11376</EventRecordID> 
      <Channel>Application</Channel> 
      <Computer>XXXX</Computer> 
  <Security /> 
  </System>
  <EventData>
      <Data>LS</Data> 
      <Data>10</Data> 
  </EventData>
</Event>

然后我尝试另一个事件:

strings = [
        'application-specific','Local','Activation','{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}','{15C20B67-12E7-4BB6-92BB-7AFF07997402}','XXXX','S-1-5-21-3714930842-1560179380-3449107254-1001','LocalHost (Using LRPC)','Unavailable',]

win32evtlogutil.ReportEvent(appName='Microsoft-Windows-distributedCOM',eventID=10016,eventCategory=0,eventType=win32evtlog.EVENTLOG_WARNING_TYPE,strings=strings)

=> 我用结果完美地工作:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-distributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" /> 
    <EventID Qualifiers="0">10016</EventID> 
    <Version>0</Version> 
    <Level>3</Level> 
    <Task>0</Task> 
    <Opcode>0</Opcode> 
    <Keywords>0x8080000000000000</Keywords> 
    <TimeCreated SystemTime="2021-01-07T04:26:15.187300200Z" /> 
    <EventRecordID>15595</EventRecordID> 
    <Correlation ActivityID="{3bcf0b4e-c271-4e6f-a45f-a29c3a9f0c42}" /> 
    <Execution ProcessID="1220" ThreadID="6936" /> 
    <Channel>System</Channel> 
    <Computer>XXX</Computer> 
  <Security UserID="S-1-5-21-3714930842-1560179380-3449107254-1001" /> 
  </System>
  <EventData>
    <Data Name="param1">machine-default</Data> 
    <Data Name="param2">Local</Data> 
    <Data Name="param3">Activation</Data> 
    <Data Name="param4">{C2F03A33-21F5-47FA-B4BB-156362A2F239}</Data> 
    <Data Name="param5">{316CDED5-E4AE-4B15-9113-7055D84DCC97}</Data> 
    <Data Name="param6">DESKTOP-HIEUNC</Data> 
    <Data Name="param7">HieuNguyen</Data> 
    <Data Name="param8">S-1-5-21-3714930842-1560179380-3449107254-1001</Data> 
    <Data Name="param9">LocalHost (Using LRPC)</Data> 
    <Data Name="param10">Microsoft.Windows.ShellExperienceHost_10.0.18362.1171_neutral_neutral_cw5n1h2txyewy</Data> 
    <Data Name="param11">S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708</Data> 
  </EventData>
</Event>

我尝试搜索了 3 天,但很少有帖子讨论这个主题,我也从 microsoft 文档站点阅读了它,但没有找到我的代码发生了什么问题。

我按照此 post 创建 events.man 文件

如果有人对此问题有经验,请帮助我。 非常感谢。

解决方法

暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!

如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@)

etwevent-loginstrumentationpython-3.xwindow