如何通过PowerShell使用已存在的提供程序编写自定义事件日志? [英] How to write a custom event log by an already existing provider with PowerShell?

问题描述

我正在尝试在网络已连接"事件日志的消息中查找状态"数据的名称/值映射:

I am trying to find out the Name/Value mappings of the "State" data in the message of the 'Network Connected' event log:

Path = Microsoft-Windows-NetworkProfile/Operational
Source = NetworkProfile
Event ID = 10000

所以我想我将在更改消息的状态"值的同时，由同一提供商将自定义事件日志写入同一日志(路径)，然后我可以在事件中看到该值的名称映射查看器.
例如，到目前为止，我具有以下值/名称"映射:

So I figured I'll write a custom event log by the same provider and to the same log (path) while changing the "State" value of the message, then I can see the name mapping of that value in the event viewer.
For example, I have these Value/Name mappings so far:

1 --> 'Connected'
5 --> 'Connected, IPV4 (Local)'
9 --> 'Connected, IPV4 (Internet)'

我想知道其余的人.

所以我尝试在PowerShell中使用New-WinEvent CmdLet编写日志:

So I tried the New-WinEvent CmdLet in PowerShell to write the logs:

New-WinEvent -ProviderName Microsoft-Windows-NetworkProfile -Id 10000 -Payload @("SSID","Description","{B58F86AB-F35D-4F73-A41E-98EA359E1D08}",0,1,0)

它已经创建，但是我传递给-Payload参数的最后4个参数没有生效.在该事件中仅出现{"name" = "SSID"和"Description" = "Description"}.无论我如何更改它们，后4个参数均保持固定值，而执行此行时没有错误或警告，-Verbose也未显示任何内容.

And it was created, but the last 4 arguments I passed to the -Payload parameter were not taking effect. Only the {"name" = "SSID" and "Description" = "Description"} were appearing in that event. The last 4 arguments stay at fixed values no matter how I change them, while there were no errors or warnings when executing this line, neither did -Verbose show anything.

我以所有可用的类型和值传递了这些参数(尤其是最后3个).我什至将先前事件日志(我未记录)的参数传递给该参数，怀疑我误用了数据类型，但没有任何改变.

I passed these arguments (especially last 3) in all types and values available. I even passed the arguments of an earlier event log (Not logged by me) to this parameter suspecting I was mistaking the data-types but nothing changed.

$a = ((Get-WinEvent -ProviderName Microsoft-Windows-NetworkProfile -MaxEvents 50  | Where-Object {$_.Id -eq 10000})[-1]).properties[3].value
$b = ((Get-WinEvent -ProviderName Microsoft-Windows-NetworkProfile -MaxEvents 50  | Where-Object {$_.Id -eq 10000})[-1]).properties[4].value
$c = ((Get-WinEvent -ProviderName Microsoft-Windows-NetworkProfile -MaxEvents 50  | Where-Object {$_.Id -eq 10000})[-1]).properties[5].value
New-WinEvent -ProviderName Microsoft-Windows-NetworkProfile -Id 10000 -Payload @("SSID","Description","{B58F86AB-F35D-4F73-A41E-98EA359E1D08}",$a,$b,$c)

然后我尝试了Write-EventLog CmdLet:

Then I tried the Write-EventLog CmdLet:

Write-EventLog -LogName "Microsoft-Windows-NetworkProfile/Operational" -Source "NetworkProfile" -EventID 10000 -EntryType Information -Message $msg -Category 0

但是我一直收到错误消息:Write-EventLog : The source name "NetworkProfile" does not exist on computer "localhost".尽管源确实存在，并且它是网络已连接"日志的源，如您从屏幕快照中看到的那样.

But I kept getting the error: Write-EventLog : The source name "NetworkProfile" does not exist on computer "localhost". Although the source does exist and it's the source of the 'Network Connected' log, as you can see from the screenshot.

这2个CmdLets在做什么?

推荐答案

我设法使第一个CmdLet New-WinEvent工作.奇怪的是，这是一个数据类型问题.

I managed to make the first CmdLet New-WinEvent work. Oddly it was a data type issue.

网络已连接"事件的消息需要6个参数.这些参数的预期类型可以在我从PowerShell得到的警告中看到

The 'Network Connected' event expects 6 arguments for its message. The expected types for these arguments can be seen in this Warning I got from PowerShell

警告:提供的有效负载与以前的模板不匹配 为事件ID 41定义.定义的模板如下:

WARNING: Provided payload does not match with the template that was defined for event id 41. The defined template is following:

我正在将Guid参数作为字符串传递，但是它希望它具有[System.Guid]类型，并且显然，当您在其中传递-Payload参数的6个参数时，New-WinEvent不会发出警告.一个数组，即使一个参数的类型不正确.它只是使用一些固定的默认参数(例如我的问题中发生的情况)创建一个新事件.

I was passing the Guid argument as a string, but it expects it to have a [System.Guid] type, and apparently New-WinEvent doesn't give warnings when you pass the 6 arguments of the -Payload parameter in an array, even if one argument doesn't have the right type. It just creates a new event with some fixed default arguments (like what was happening in my problem).

因此，我必须将此参数Guid转换为正确的类型.我从这里得到了它的类型名称:

So I had to cast the right type to this argument Guid. I got the name of its type from this:

$validEvent = (Get-WinEvent -ProviderName Microsoft-Windows-NetworkProfile -MaxEvents 500  | Where-Object {$_.Id -eq 10000} | Where-Object {$_.properties[4].Value -eq 9})[-1]
$validEvent.Properties[2].Value.GetType().FullName

然后我将正确的类型转换为参数，并将其传递给-Payload，并且有效:

Then I casted the right types to the arguments and passed them to -Payload and it worked:

$name = 'SSID'
$desc = 'Description'
[System.Guid]$guid = "c48f86ab-f35d-4f73-a41e-99ea359e1d08"
[System.UInt32]$type = 1
[System.UInt32]$state = 63
[System.UInt32]$categ = 2

New-WinEvent -ProviderName Microsoft-Windows-NetworkProfile -Id 10000 -Payload @($name, $desc, $guid, $type, $state, $categ)

然后我可以更改$state的值，以从$newLog.Message获取其名称映射.

Then I could change the value of $state to get its name mapping from the $newLog.Message.

但是，第二个CmdLet Write-EventLog无法正常工作；显然它不能由同一提供者写入此日志.

However, the second CmdLet Write-EventLog didn't work; apparently it can't write to this log by the same provider.

如 Max 所述，此CmdLet只能写入经典"事件日志，这就是为什么它不能找到NetworkProfile来源.

As Max mentioned, this CmdLet can only write to the "classic" event log, that's why it couldn't find the NetworkProfile source.

一些对我有帮助的链接:

如何在Windows事件日志中存储对象? [回答] 通过 Grady G Cooper
写入事件登录.NET-正确的方法
MSDN-事件源
TechNet-New-WinEvent

How to store an object in the Windows Event Log? [Answer] by Grady G Cooper
Writing to the event log in .NET - the right way
MSDN - Event Sources
TechNet - New-WinEvent

这篇关于如何通过PowerShell使用已存在的提供程序编写自定义事件日志?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！