我试图通过Get-WinEvent过滤事件以获取过去24小时内的特定日志:
$EventLogFilter = @{logname='ForwardedEvents'; id=4771,4625,4768; StartTime=(Get-Date).AddHours(-24)}
$LogonEvents = Get-WinEvent -FilterHashtable $EventLogFilter
问题是Get-WinEvent只返回14个事件,但有数千个符合此条件.
例:
$EventLogFilter = @{logname='ForwardedEvents'; id=4771,4768; StartTime=(Get-Date).AddHours(-24)}
$LogonEvents = (Get-WinEvent -FilterHashtable $EventLogFilter)
$LogonEvents.count
14
现在,如果我从Get-WinEvent中删除StartTime过滤器并使用where-object过滤,您可以看到实际有多少这些事件:
$EventLogFilter = @{logname='ForwardedEvents'; id=4771,4768}
$LogonEvents = (Get-WinEvent -FilterHashtable $EventLogFilter)
($LogonEvents | ?{$_.TimeCreated -ge (Get-Date).Addhours(-24)}).count
19497
所以它错过了近20,000个事件日志!到底发生了什么事,我做了些什么愚蠢的事情,是Get-WinEvent被打破了吗?这个cmldet在它突然出现并产生不可靠结果之前可以过滤的日志数是否有限制?
有人在另一个论坛上给了我答案 – FilterXML来救援.
以下内容为我提供了我想要的更多便利,让GUI为我构建了查询:
$FilterXML = '<QueryList>
<Query Id="0" Path="ForwardedEvents">
<Select Path="ForwardedEvents">*[System[(EventID=4771 or EventID=4625 or EventID=4768) and TimeCreated[timediff(@SystemTime) <= 86400000]]]</Select>
</Query>
</QueryList>'
$LogonEvents = Get-WinEvent -FilterXml $FilterXML
$LogonEvents | sort -Property TimeCreated | Select-Object -First 1
做($LogonEvents | sort -Property TimeCreated | Select-Object -First 1)我能够确认最旧的日志正好是24小时.
应该更多地在文档中探讨,因为我没有事件知道-filterxml.我想我会从现在开始使用它.
