问题描述
我需要根据以下Win-Event查询显示IP地址和主机名的方法:
脚本:
$date = Get-date -Format "dd-MM_hh_mm"
$FilePath = ([Environment]::GetFolderPath("Desktop") + "\DCOMErrors_$date.txt")
Clear-Host
Write-Host "`r`nGathering DCOM ID:10028 errors from $env:computername system"
$DCOM = Get-WinEvent System | Where-Object { ($_.ProviderName -like "Microsoft-Windows-distributedCOM") -and ($_.ID -like "10028") }
Write-Host "`r`nProcessing DCOM messages"
$DCOMHash = New-Object "System.Collections.Generic.List[System.Object]"
$DCOM | ForEach-Object -Process {
$DCOMfr = $DCOMline.Message.IndexOf("computer",1)
$DCOMto = $DCOMline.message.IndexOf("using")
$DCOMip = ""
$DCOMip = $DCOMline.message.substring($DCOMfr + 9,$DCOMto - $DCOMfr - 9)
$DCOMhostname = If ([System.Net.Dns]::GetHostEntry($DCOMip)) { [System.Net.Dns]::GetHostEntry($DCOMip) } else { try { [System.Net.Dns]::GetHostEntry($DCOMip) } catch { $_.Exception.Message } }
$DCOMhash += $DCOMip -replace '\.$'
}
Out-File -filepath
"Total DCOM Error Count: " + $DCOMhash.count | Export-Csv -FilePath $FilePath -Append
$DCOMhash | group-object | sort-object Count -Descending | Format-Table -Property Name,Count | Out-File -FilePath $FilePath -Append
Write-Host "Result of the script to gather the IPs with DCOM errors associated with them `r`n There is Now a text file on the desktop with the output,opening txt file in"
ii $FilePath
上面的尝试没有产生如下面结果样本中那样有意义的结果
当前输出:
Total DCOM Error Count: 1000
Name Count
---- -----
1000
预期结果:
> Total DCOM Error Count: 1000
> Name Hostname Count
> ---- -------- -----
> 1.1.1.1 AD01 400
> 1.1.2.2 AD02 300
> 2.2.2.2 N/A 500
如果需要,这是事件ID 10028的以下示例:
Log Name: System
Source: Microsoft-Windows-distributedCOM
Date: 27/10/2020 12:57:25 PM
Event ID: 10028
Task Category: None
Level: Error
Keywords: Classic
User: SYstem
Computer: MON01.server-farm.com
Description:
DCOM was unable to communicate with the computer 1.1.1.1 using any of the configured protocols; requested by PID 61a0 (C:\Program Files (x86)\Common Files\SolarWinds\JobEngine.v2\SWJobEngineWorker2x64.exe).
> Event Xml: <Event
> xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> <System>
> <Provider Name="Microsoft-Windows-distributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM"
> />
> <EventID Qualifiers="0">10028</EventID>
> <Version>0</Version>
> <Level>2</Level>
> <Task>0</Task>
> <Opcode>0</Opcode>
> <Keywords>0x8080000000000000</Keywords>
> <TimeCreated SystemTime="2020-10-27T01:57:25.776635700Z" />
> <EventRecordID>72256491</EventRecordID>
> <Correlation />
> <Execution ProcessID="976" ThreadID="9500" />
> <Channel>System</Channel>
> <Computer>MON01.server-farm.com</Computer>
> <Security UserID="S-1-5-18" /> </System> <EventData>
> <Data Name="param1">10.10.5.165</Data>
> <Data Name="param2"> 61a0</Data>
> <Data Name="param3">C:\Program Files (x86)\Common Files\SolarWinds\JobEngine.v2\SWJobEngineWorker2x64.exe</Data>
> <Binary>12934761728346172846987569874562345ABCDEF</Binary> </EventData> </Event>
解决方法
在此脚本中,您遇到了几个问题。
首先,您要提取所有系统日志,然后进行过滤,这将会很慢。任何过滤器选项(filterhashtable,filterxpath,filterxml)都可以极大地加快这一步。
第二,您正在运行Foreach-Object循环,但是在应引用$DCOMline时引用了一些随机变量名$_
第三,DCOMhostname试图填充,但从此不再使用。整个部分似乎都被误导了。如果成功或失败,则每个“名称”将运行GetHostEntry两次。还发现$DCOMip末尾有多余的空间,导致GetHostEntry对所有对象均失败。
第四,随机Out-File -filepath
第五,尝试将文本“ Total DCOM Error Count:” + $ DCOMhash.count导出为CSV。似乎要在此处使用“设置/添加内容”。
第六,Format-Table仅应用于控制台输出,而不应用于管道或写入文件。
第七,当Out-File似乎是导出CSV的适当位置时使用
第八,您似乎试图对名称进行分组,但也希望在输出中获取主机名。您也可以将其添加到group-object -property,但是如果每种名称都有很多不同的主机名,则只会列出其中之一。
所有这些,这将为您获取名称(ip)和计数,以及$DCOMash变量中的名称和主机名。
$date = Get-date -Format "dd-MM_hh_mm"
$FilePath = ([Environment]::GetFolderPath("Desktop") + "\DCOMErrors_$date.txt")
Clear-Host
Write-Host "`r`nGathering DCOM ID:10028 errors from $env:computername system"
$DCOM = Get-WinEvent -FilterHashtable @{
LogName = 'System'
ProviderName = "Microsoft-Windows-DistributedCOM"
ID = "10028"
}
Write-Host "`r`nProcessing DCOM messages"
$DCOMHash = New-Object "System.Collections.Generic.List[System.Object]"
$DCOM | ForEach-Object -Process {
$DCOMfr = $_.Message.IndexOf("computer",1)
$DCOMto = $_.message.IndexOf("using")
$DCOMip = ""
$DCOMip = $_.message.substring($DCOMfr + 9,$DCOMto - $DCOMfr - 9).trim()
try
{
$DCOMhostname = [System.Net.Dns]::GetHostEntry($DCOMip).hostname -replace '\.$'
}
catch
{
$DCOMhostname = "N/A"
}
$DCOMhash.Add([PSCustomObject]@{
Name = $DCOMip
HostName = $DCOMhostname
})
}
$DCOMhash | Group-Object -Property name | select name,count | Sort-Object Count -Descending