Get-EventLog-某些事件日志源缺少有效消息 [英] Get-EventLog - valid message missing for some event log sources

问题描述

我正在使用get-eventlog提取和过滤系统事件日志数据.我发现的是，获取事件日志无法正确返回与某些条目关联的消息.这些条目通常显示在事件日志查看器中.例如

I'm pulling and filtering System Event Log data using get-eventlog. What I'm finding is that get-event log is not able to correctly return the message associated with some entries. These entries appear normally in the event log viewer. E.g.

get-eventlog -logname system | ? { $_.source -eq "Microsoft-Windows-Kernel-General" }

返回8个条目，所有条目都具有以下形式的消息:

returns 8 entries, all of which have a message of the following form:

The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  
The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  
The following information is part of the event:'6', '1', '7601', '18798', '1', '0', '2015-06-13T08:33:32.359599800Z'

如果我过滤同一事件的系统事件日志，则可以清楚地看到格式完整的消息.例如

If I filter the system event log for the same source, I can clearly see the fully formed message. e.g

The operating system started at system time ‎2015‎-‎06‎-‎13T08:33:32.359599800Z.

我运行以下命令以查看是否有其他提供程序无法返回有效的事件消息:

I ran the following to see if any other providers were unable to return valid event messages:

get-eventlog -LogName system | ? { $_.Message -like "The description for Event ID*" }  | Group-Object -Property Source | Select-Object -Property Name

Name
----
Microsoft-Windows-Kernel-General
DCOM
WinRM
Microsoft-Windows-Iphlpsvc

我检查了事件日志查看器，以找到DCOM，WinRM和Iphlpsvc源的相应条目，并确认正确的消息是可见的.

I checked in the event log viewer to find the corresponding entries for the DCOM, WinRM and Iphlpsvc sources and confirmed that the correct message was visible.

我已经在管理员级PowerShell控制台中运行了测试脚本.

I've run the test scripts in a admin-level PowerShell console.

有什么想法吗?

进一步的研究表明，PsLogList似乎也遇到相同的问题，而WEVTUTIL则没有.

Further research has revealed that PsLogList also appears to suffer from the same problem, whereas WEVTUTIL does not.

根据Windos的建议，我尝试了get-winevent.我以前尝试过此方法，发现它根本不返回任何Message数据.我再次尝试，发现相同的结果.然后，我尝试了

Following suggestion by Windos, I tried get-winevent. I had tried this previously and found that it would return no Message data at all. I tried again and found the same result. I then tried

Get-WinEvent -ProviderName "Microsoft-Windows-Kernel-General"

产生以下错误

Could not retrieve information about the Microsoft-Windows-Kernel-General provider. Error: The locale specific resource for the desired message is not present.

稍作谷歌搜索后，我进入了'get-culture确认我现在在美国，然后重新运行get-winevent命令.

A little googling led me to 'https://p0w3rsh3ll.wordpress.com/2013/12/13/why-does-my-get-winevent-command-fail/' who had also experienced the same error message. He suggested this was due to regional settings. I'm in Australia, so my 'format' setting in Control Panel was 'English (Australia)'. I changed this to 'English (United States)', launched a new PS console, confirmed with get-culture that I was now in the US and re-ran the get-winevent commands.

Get-WinEvent -ProviderName "Microsoft-Windows-Kernel-General" | select-object -property Message

瞧瞧...

Message
-------
The system time has changed to ?2015?-?07?-?12T01:06:52.405000000Z from ?2015?-?07?-?12T01:05:51.764208900Z.
The system time has changed to ?2015?-?07?-?12T01:05:09.671000000Z from ?2015?-?07?-?12T01:04:09.226010500Z.
The system time has changed to ?2015?-?07?-?12T01:03:49.119000000Z from ?2015?-?07?-?12T01:02:48.060593100Z.
The system time has changed to ?2015?-?07?-?12T01:02:32.128000000Z from ?2015?-?07?-?12T01:01:29.610105600Z.
The system time has changed to ?2015?-?06?-?13T08:41:12.267000000Z from ?2015?-?06?-?13T08:41:12.404273100Z.
The operating system started at system time ?2015?-?06?-?13T08:33:32.359599800Z.
The operating system is shutting down at system time ?2015?-?06?-?13T08:33:05.091743100Z.
The system time has changed to ?2015?-?06?-?13T08:32:58.947000000Z from ?2015?-?06?-?13T08:32:58.947959900Z.

可惜-没有变化get-eventlog

get-eventlog -logname system | ? { $_.Source -eq "microsoft-windows-kernel-general" } | select-object -property Message

Message
-------
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  The local computer m...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  The local computer m...
The description for Event ID '12' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  The local computer ...
The description for Event ID '13' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  The local computer ...
The description for Event ID '1' in Source 'Microsoft-Windows-Kernel-General' cannot be found.  The local computer m...

推荐答案

不确定如何或为什么，但是如果您选择Get-WinEvent而不是Get-EventLog，您将获得所需的信息之后.

Not sure on the how or why, but it looks like if you opt for Get-WinEvent rather than Get-EventLog you'll get the info you're after.

应注意，更改命令时，源"(Source)参数称为提供者名称"(ProviderName)，因此您的命令将变为:

It should be noted that when changing commands the 'Source' parameter is known as 'ProviderName' so your command becomes:

Get-WinEvent -LogName System | Where { $_.ProviderName -eq 'Microsoft-Windows-Kernel-General' }

这篇关于Get-EventLog-某些事件日志源缺少有效消息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！