windows 如何在PowerShell中传递特定的xml过滤器来请求事件?

owfi6suc  于 2023-06-24  发布在  Windows
关注(0)|答案(1)|浏览(97)
# Define the remote server name
$remoteServer = "SERVER_NAME"

# Define the credentials for authentication
$username = "USERNAME"
$password = "PASSWORD"
$securePassword = ConvertTo-SecureString -String $password -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList   $username, $securePassword

# Define the time range for the last half hour
$startTime = (Get-Date).AddMinutes(-30)
$endTime = Get-Date

# Define the event ID for Netlogon 5810
$eventID = 5810

# Construct the filter for the desired event ID and time range
$filter = @"
<QueryList>
    <Query>
        <Select Path="Security">
            *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=$eventID)]]
            and
            *[System[TimeCreated[@SystemTime>='$($startTime.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ"))' and @SystemTime<='$($endTime.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ"))']]]
        </Select>
    </Query>
</QueryList>
"@

# Retrieve the events from the remote server with authentication
$events = Get-WinEvent -ComputerName $remoteServer -FilterXml $filter -Credential $credential

# Count the number of events
$eventCount = $events.Count

# Display the result
Write-Host "Number of Netlogon 5810 events in the last half hour: $eventCount"


使用powershell运行此代码会出现以下错误:
Get-WinEvent:Impossible de利耶le paramètre « FilterXml ».无法转换值« *[System[Provider[@Name ='Microsoft-Windows-Security-Auditing'] and(EventID=5810)]]和 *[System[TimeCreated[@SystemTime>='2023 -06- 14 T13:24:15 Z' and @SystemTime<='2023 -06- 14 T13:54:15 Z']] » en type «System.Xml.XmlDocument»。错误:«Le caractère '=',valeur hexadécimale 0x3D,ne peut pas begencer un nom. Ligne 6,position 90.»具体C:\Program Files\NSClient++\scripts\OPSSI\test.ps1:31:63

  • ... = Get-WinEvent -ComputerName $remoteServer -FilterXml $filter -Creden ...
~~~~~~~
  • 分类信息:InvalidArgument:(:)[Get-WinEvent],ParameterBindingException
  • FullyQualifiedErrorId:CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.GetWinEventCommand

有人能告诉我如何修正过滤器变量吗?
我试图执行此代码,以获得过去半小时内远程服务器上所有5810个netlogon事件的计数,并得到上述错误。

windows

1条答案

按热度按时间
e4eetjau

e4eetjau1#

您需要转义XPath中的>=<=运算符,这样它们就不会被解释为XML标记分隔符。
<的转义序列是&lt;>的转义序列是&gt;

$filter = @"
<QueryList>
    <Query>
        <Select Path="Security">
            *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=$eventID)]]
            and
            *[System[TimeCreated[@SystemTime&gt;='$($startTime.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ"))' and @SystemTime&lt;='$($endTime.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ"))']]]
        </Select>
    </Query>
</QueryList>
"@
赞(0)分享  回复(0)举报  2023-06-24
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com