发表新帖
发表新帖

Using XPath starts-with or contains functions to search Windows event logs

后端 未结
关注
3 417
天命终不由人
天命终不由人 2021-01-01 12:00

By editing the XML filter query manually in Windows event viewer, I can find events where the data matches a string exactly:
相关标签:
3条回答
  • 说谎
    2021-01-01 12:10

    If you don't mind two passes, you can always use a powershell script to re-filter the data as its          -where operator supports -like, -match, and -contains:

    nv.ps1

    $Query = @"
  <QueryList>
    <Query Id="0" Path="System">
      <Select Path="System">
        *[System[(EventID=20001)]]
      </Select>
    </Query>
  </QueryList>
"@

$events = Get-WinEvent -FilterXml $Query
ForEach ($Event in $Events) {
    # Convert the event to XML
    $eventXML = [xml]$Event.ToXml()
    Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  DriverVersion -Value $eventXML.Event.UserData.InstallDeviceID.DriverVersion
    Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  DriverDescription -Value $eventXML.Event.UserData.InstallDeviceID.DriverDescription
    Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  Data -Value $eventXML.Event.EventData.Data
}
$Events | Select TimeCreated, Id, DriverDescription, DriverVersion, ProviderName, @{Name="MessageData";Expression={$_.Message + $_.Data}} | Where {$_.DriverDescription -match "NVIDIA GeForce GTX*"} | Out-GridView
pause

    A cmd to launch it (nv.cmd):

    powershell.exe -executionpolicy bypass "& '.\nv.ps1'"
    0 讨论(0)
  • 我寻月下人不归
    2021-01-01 12:12

    A quick powershell to search for session* in data. Even if data were an array, this should work.

    get-winevent application | where { $xml = [xml]$_.toxml() 
  $xml.event.eventdata.data -like 'session*' } | select -first 3


   ProviderName: Microsoft-Windows-Winlogon

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
2/22/2020 11:05:30 AM         6000 Information      The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
2/22/2020 11:05:30 AM         6003 Information      The winlogon notification subscriber <SessionEnv> was unavailable to handle a critical notification event.
2/21/2020 6:28:38 PM          6000 Information      The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.


$xml.event.eventdata.data # the last one

SessionEnv

    If you don't need the precision, it's easier to match on the message, which the data fields often appear in.

    get-winevent application | where message -match session
    0 讨论(0)
  • 迷失自我
    2021-01-01 12:30

    Windows Event Log supports a subset of XPath 1.0. It contains only 3 functions: position, Band, timediff.

    Reference: https://docs.microsoft.com/en-us/windows/desktop/WES/consuming-events#xpath-10-limitations

    0 讨论(0)
 看不清?
提交回复
热议问题