当前位置: 文江博客话题详情

使用 XPath 开头或包含的函数来搜索 Windows 事件日志

发布于 2024-12-23 09:07:41 字数 634 浏览 3 评论 0原文

通过在 Windows 事件查看器中手动编辑 XML 过滤器查询,我可以找到数据与字符串完全匹配的事件:

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[EventData[Data and (Data="Session end: imzcjflrrsq1sfdk3okc4jpf")]]</Select>
  </Query>
</QueryList>

现在,我想做部分匹配:

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[EventData[Data and (Data[starts-with(.,"Session")])]]</Select>
  </Query>
</QueryList>

事件日志给出错误:

指定的查询无效

我的语法是否错误?

原文

By editing the XML filter query manually in Windows event viewer, I can find events where the data matches a string exactly:

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[EventData[Data and (Data="Session end: imzcjflrrsq1sfdk3okc4jpf")]]</Select>
  </Query>
</QueryList>

Now, I want to do a partial match:

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[EventData[Data and (Data[starts-with(.,"Session")])]]</Select>
  </Query>
</QueryList>

Event log gives me the error:

The specified query is invalid

Do I have the syntax wrong?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

梦初启 2024-12-30 09:07:41

Windows 事件日志支持 XPath 1.0 的子集。它只有三个函数:positionBandtimediff

参考:https://learn.microsoft .com/en-us/windows/desktop/WES/consuming-events#xpath-10-limitations

Windows Event Log supports a subset of XPath 1.0. It has only three functions: position, Band, timediff.

Reference: https://learn.microsoft.com/en-us/windows/desktop/WES/consuming-events#xpath-10-limitations

回复 原文
眼睛会笑 2024-12-30 09:07:41

如果您不介意两次传递,则始终可以使用 powershell 脚本重新过滤数据,因为其-where 运算符支持 -like-match-contains

nv.ps1

$Query = @"
  <QueryList>
    <Query Id="0" Path="System">
      <Select Path="System">
        *[System[(EventID=20001)]]
      </Select>
    </Query>
  </QueryList>
"@

$events = Get-WinEvent -FilterXml $Query
ForEach ($Event in $Events) {
    # Convert the event to XML
    $eventXML = [xml]$Event.ToXml()
    Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  DriverVersion -Value $eventXML.Event.UserData.InstallDeviceID.DriverVersion
    Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  DriverDescription -Value $eventXML.Event.UserData.InstallDeviceID.DriverDescription
    Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  Data -Value $eventXML.Event.EventData.Data
}
$Events | Select TimeCreated, Id, DriverDescription, DriverVersion, ProviderName, @{Name="MessageData";Expression={$_.Message + $_.Data}} | Where {$_.DriverDescription -match "NVIDIA GeForce GTX*"} | Out-GridView
pause

用于启动它的 cmd (nv.cmd):

powershell.exe -executionpolicy bypass "& '.\nv.ps1'"

If you don't mind two passes, you can always use a powershell script to re-filter the data as its          -where operator supports -like, -match, and -contains:

nv.ps1

$Query = @"
  <QueryList>
    <Query Id="0" Path="System">
      <Select Path="System">
        *[System[(EventID=20001)]]
      </Select>
    </Query>
  </QueryList>
"@

$events = Get-WinEvent -FilterXml $Query
ForEach ($Event in $Events) {
    # Convert the event to XML
    $eventXML = [xml]$Event.ToXml()
    Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  DriverVersion -Value $eventXML.Event.UserData.InstallDeviceID.DriverVersion
    Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  DriverDescription -Value $eventXML.Event.UserData.InstallDeviceID.DriverDescription
    Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  Data -Value $eventXML.Event.EventData.Data
}
$Events | Select TimeCreated, Id, DriverDescription, DriverVersion, ProviderName, @{Name="MessageData";Expression={$_.Message + $_.Data}} | Where {$_.DriverDescription -match "NVIDIA GeForce GTX*"} | Out-GridView
pause

A cmd to launch it (nv.cmd):

powershell.exe -executionpolicy bypass "& '.\nv.ps1'"
回复 原文
苄①跕圉湢 2024-12-30 09:07:41

一个快速的 powershell,用于在数据中搜索会话*。即使数据是一个数组,这也应该有效。

get-winevent application | where { $xml = [xml]$_.toxml() 
  $xml.event.eventdata.data -like 'session*' } | select -first 3


   ProviderName: Microsoft-Windows-Winlogon

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
2/22/2020 11:05:30 AM         6000 Information      The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
2/22/2020 11:05:30 AM         6003 Information      The winlogon notification subscriber <SessionEnv> was unavailable to handle a critical notification event.
2/21/2020 6:28:38 PM          6000 Information      The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.


$xml.event.eventdata.data # the last one

SessionEnv

如果不需要精度,则在数据字段经常出现的消息上进行匹配会更容易。

get-winevent application | where message -match session

A quick powershell to search for session* in data. Even if data were an array, this should work.

get-winevent application | where { $xml = [xml]$_.toxml() 
  $xml.event.eventdata.data -like 'session*' } | select -first 3


   ProviderName: Microsoft-Windows-Winlogon

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
2/22/2020 11:05:30 AM         6000 Information      The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
2/22/2020 11:05:30 AM         6003 Information      The winlogon notification subscriber <SessionEnv> was unavailable to handle a critical notification event.
2/21/2020 6:28:38 PM          6000 Information      The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.


$xml.event.eventdata.data # the last one

SessionEnv

If you don't need the precision, it's easier to match on the message, which the data fields often appear in.

get-winevent application | where message -match session
回复 原文
~没有更多了~

关于作者

伪心

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

燃烧我的卡路李先生

文章 0 评论 0

qq_2gSKZM

文章 0 评论 0

∞梦里开花

文章 0 评论 0

qq_IklFPL

文章 0 评论 0

迷途知返

文章 0 评论 0

深海不蓝

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文