windows 查询最近两周的windows事件日志
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12916060/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Query windows event log for the past two weeks
提问by Ivaylo Strandjev
I am trying to export a windows event log but limit the exported events not according to number but according to time the event was logged. I am trying to do that on windows 7 and newer. So far my efforts are focused on using wevtutil.
我正在尝试导出 Windows 事件日志,但不是根据数量而是根据记录事件的时间来限制导出的事件。我正在尝试在 Windows 7 及更高版本上执行此操作。到目前为止,我的工作重点是使用 wevtutil。
I am using wevtutil and my command line now is: wevtutil Application events.evtxThe problem here is that I export the whole log and this can be quite big so I want to limit it just to the last 2 weeks.
我正在使用 wevtutil,我的命令行现在是:wevtutil Application events.evtx这里的问题是我导出了整个日志,这可能非常大,所以我想将它限制在最后 2 周。
I have found thispost but first of all it does not seem to produce any output on my system(yes I have changed the dates and time) and second it seems to be dependent on the date format which I try to avoid.
我找到了这篇文章,但首先它似乎没有在我的系统上产生任何输出(是的,我已经更改了日期和时间),其次它似乎取决于我试图避免的日期格式。
Here is the modified command I ran:
这是我运行的修改后的命令:
wevtutil qe Application "/q:*[System[TimeCreated[@SystemTime>='2012-10-02T00:00:00' and @SystemTime<'2012-10-17T00:00:00']]]" /f:text
I had to replace the <and >with the actual symbols as I got a syntax error otherwise. This command produces empty output.
我不得不用实际符号替换<和>,否则我会遇到语法错误。此命令产生空输出。
采纳答案by joebalt
I don't know how you feel about PowerShell, but it's available on all the systems you tagged.
我不知道您对 PowerShell 有何看法,但它在您标记的所有系统上都可用。
From a powershell prompt, see Get-Help Get-EventLog -Examples for more info.
在 powershell 提示符下,请参阅 Get-Help Get-EventLog -Examples 了解更多信息。
If you have to do this from a .cmd or .bat file, then you can call powershell.exe -File powershell_script_file_name
如果您必须从 .cmd 或 .bat 文件执行此操作,则可以调用 powershell.exe -File powershell_script_file_name
where powershell_script_file_name has the Get-EventLog command(s) you need in it.
其中 powershell_script_file_name 包含您需要的 Get-EventLog 命令。
This example gives all the Security Event Log failures, I use to audit systems:
这个例子给出了我用来审计系统的所有安全事件日志故障:
Get-EventLog -LogName security -newest 1000 | where {$_.entryType -match "Failure"}
回答by Codeguard
The problem is due to /q: being inside quotes. It should be outside, like:
问题是由于 /q: 在引号内。它应该在外面,例如:
wevtutil qe Application /q:"*[System[TimeCreated[@SystemTime>='2012-10-02T00:00:00' and @SystemTime<'2012-10-17T00:00:00']]]" /f:text
This works just fine for me.
这对我来说很好用。
回答by mivk
For the events of the last 2 weeks, you could also use timediff, to avoid hard-coding dates.
对于过去 2 周的事件,您还可以使用timediff, 以避免硬编码日期。
Windows uses milliseconds, so it would be 1000 * 86400 (seconds, = 1 day) * 14 (days) = 1209600000.
Windows 使用毫秒,因此它将是 1000 * 86400(秒,= 1 天)* 14(天)= 1209600000。
For your query, that would look like
对于您的查询,这看起来像
wevtutil qe Application /q:"*[System[TimeCreated[timediff(@SystemTime) <= 1209600000]]]" /f:text /c:1
I added /c:1to get only 1 event in the example, since there are many events in the last 2 weeks.
我/c:1在示例中添加了仅获取 1 个事件,因为过去 2 周内有许多事件。
You may also want to only list warning and errors. For that, you can use (Level=2 or Level=3). (For some reason, Level<4doesn't seem to work for me on Win7)
您可能还只想列出警告和错误。为此,您可以使用(Level=2 or Level=3). (出于某种原因,Level<4在 Win7 上似乎对我不起作用)
wevtutil qe Application /q:"*[System[(Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) <= 1209600000]]]" /f:text /c:1
回答by Ansgar Wiechers
I strongly recommend using LogParserfor this kind of task:
我强烈建议使用LogParser这种任务:
logparser -i:evt file:query.sql
With query.sqlcontaining something like this:
随着query.sql含是这样的:
SELECT
TimeGenerated,EventID,SourceName,Message
FROM Application
WHERE TimeGenerated > TO_TIMESTAMP(SUB(TO_INT(SYSTEM_TIMESTAMP()), 1209600))
ORDER BY TimeGenerated DESC
The somewhat unintuitive date calculation converts the system time (SYSTEM_TIMESTAMP()) to an integer (TO_INT()), subtracts 1209600 seconds (60 * 60 * 24 * 14 = 2 weeks) and converts the result back to a timestamp (TO_TIMESTAMP()), thus producing the date from 2 weeks ago.
有点不直观的日期计算将系统时间 ( SYSTEM_TIMESTAMP()) 转换为整数 ( TO_INT()),减去 1209600 秒(60 * 60 * 24 * 14 = 2 周)并将结果转换回时间戳 ( TO_TIMESTAMP()),从而生成 2 周的日期前。
You can parameterize the timespan by replacing the fixed number of seconds with MUL(86400, $days)and changing the commandline to this:
您可以通过替换固定秒数MUL(86400, $days)并将命令行更改为以下内容来参数化时间跨度:
logparser -i:evt file:query.sql+days=14
You can also pass the query directly to logparser:
您还可以将查询直接传递给 logparser:
logparser -i:evt "SELECT TimeGenerate,EventID,SourceName,Message FROM ..."
