Powershell小技巧之从文件获取系统日志
有时你可能会需要分析系统文件将他们传输到硬盘,或你想直接从“evtx”读取系统日志。
你可以这样做:
$path="$env:windir\System32\Winevt\Logs\Setup.evtx" Get-WinEvent-Path$path
另附上一段获取系统日志的代码
$StartTime=(get-date).Date+(new-timespan-Hours6-Minutes35)
$EndTime=(get-date).Date+(new-timespan-Hours6-Minutes36)
$global:TaskStart
$Global:TaskComplete
$Global:events
$Global:event
$Global:TimeSpent
$Global:events=get-winevent-FilterHashtable@{logname="Microsoft-Windows-TaskScheduler/Operational";ID=107;StartTime=$StartTime;EndTime=$EndTime}
Foreach($Global:eventin$Global:events)
{
cls
$StartLogs=get-winevent-FilterHashtable@{logname="Microsoft-Windows-TaskScheduler/Operational";ID=100;StartTime=$StartTime}
$CompleteLogs=get-winevent-FilterHashtable@{logname="Microsoft-Windows-TaskScheduler/Operational";id=102;StartTime=$StartTime}
$global:TaskStart=$StartLogs|where{$_.ActivityId-eq$Global:event.ActivityId}
$Global:TaskComplete=$CompleteLogs|where{$_.ActivityId-eq$Global:event.ActivityId}
$global:TimeSpent=($global:TaskComplete.timeCreated-$global:TaskStart.timeCreated).TotaLMinutes
if(($global:TaskStart-ne$NULL)-and($Global:TaskComplete-ne$null)-and($Global:TimeSpent-gt1)){
$Messagebody="Synctaskstartedat: "+$global:TaskStart.TimeCreated.DateTime+"`r`n"
$Messagebody=$Messagebody+"`r`nSynctaskcompletedat: "+$global:TaskComplete.timeCreated.DateTime+"`r`n"
$Messagebody=$Messagebody+"`r`nTasklastedfor"+("{0:N2}"-f($Global:TimeSpent))+"minutes"
Send-MailMessage-From"CustomerLog@avepoint.com"-To"Zhijie.bai@avepoint.com","Infrastructure_cn@avepoint.com"-Subject"CustomerLogsSyncReport:Success"-Body$Messagebody-SmtpServer"10.100.100.153"-EncodingUTF8
}
else{
$Messagebody="########################################################################`r`n"
$Messagebody=$Messagebody+"`r`nCustomlogsSyncfailed,pleaselogin10.2.0.125tocheckandsyncagain`r`n"
$Messagebody=$Messagebody+"`r`n########################################################################`r`n"
Send-MailMessage-From"CustomerLog@avepoint.com"-To"Zhijie.bai@avepoint.com","Infrastructure_cn@avepoint.com"-Subject"CustomerLogsSyncReport:Failed"-Body$Messagebody-SmtpServer"10.100.100.153"-EncodingUTF8-PriorityHigh
}
}
支持Powershell所有版本