使用正则表达式在事件查看器中过滤事件 [英] Filtering events in Event Viewer using a regex
问题描述
我有一个包含数千个事件的事件日志.我想制作一个显示其中一些的自定义过滤器或视图.我想在XML的整个文本(作为文本)或特定字段上使用正则表达式(甚至只是简单的文本匹配)对它们进行过滤.事件查看器确实支持ctl + f查找,但是显然您不能将相同的find操作放入自定义视图中,因此每次都可以使用它.
I have an event log with thousands of events. I want to make a custom filter or view which shows some of them. I want to filter them using a regex (or even just simple text match) on either the entire text of the XML (as text), or on a particular field. Event viewer does support ctl+f finding, but apparently you can't put that same find action into a custom view so it could be used every time.
- 环境:Microsoft Windows Server 2012标准版
- 程序:事件查看器
我已经考虑过创建自定义视图,并且正在编辑自定义视图属性的XML源以尝试过滤它们.
I've looked at creating a custom view, and am editing the XML source of the custom view properties to try to filter them.
事件如下:
<Event xmlns="http://blahblah.com">
<EventData>
<Data>Blah smith blah
</Data>
</EventData>
</Event>
我想在数据"字段中进行文本匹配/正则表达式.
And I want to do the text match / regex on the Data field.
我已经尝试了很多类似的事情:
I've tried a lot of things like this:
<QueryList>
<Query Id="0" Path="">
<Select Path="">
*[EventData[Data=regex("*smith*")]]
</Select>
</Query>
</QueryList>
以及其他类似行
*[EventData[Data="%smith%")]]
*[EventData[Data="%%smith%%")]]
但是我没有结果或无效的XPath错误.
But I get no result or an invalid XPath error.
我该怎么做?我也想知道我的名字.这是完整的XPath,还是具有某些特定的Microsoft版本名称?我什至如何获得*Event行中存在的命名空间的列表?无论是什么原因解释了我编写XPath的尝试,我如何都能获得编译/运行时错误?
How can I do this? I'd also be interested in just knowing the name for where I am. Is this full XPath, or does it have some specific Microsoft version name? How can I even get a list of the namespace that exists from within the *Event line? How can I get access to compile/runtime errors for whatever is interpreting my attempts at writing XPath?
我还将接受以程序形式连接到Event Viewer API的解决方案.如果它们易于使用&会更好.可以与程序本身集成,但即使是事件日志过滤的Powershell版本也将很有用.
I'd also accept solutions in the form of programs which connect to the Event Viewer API. It'd be better if they were easy to use & could be integrated with the program itself, but even a powershell version of event log filtering would be useful.
总体而言,我只想根据事件内容的正则表达式(或只是简单的文本匹配)从事件日志中过滤掉某些事件.从理论上讲,这应该很容易-ctl + f find可以做到,事件存储在我的本地计算机上的某个地方,而且我有一个看似复杂的自定义视图过滤器设置.
Overall I just want to filter some events out of the event log based on a regex (or just simple text matching) of their contents. Theoretically this should be easy to do - ctl+f find can do it, the events are stored on my local computer somewhere, and I have an apparently sophisticated custom view filter setup.
推荐答案
使用powershell,有一个简单的解决方法:
Using powershell, there is an easy workaround:
Get-EventLog -logname 安全性 | where-object {$ _.Message -like' testsite '} |格式表消息-wrap -autosize |外档C:\ Users **使用者名称** \ Desktop \ out.txt
Get-EventLog -logname Security | where-object { $_.Message -like 'testsite' } | format-table Message -wrap -autosize | Out-File C:\Users**username**\Desktop\out.txt
您需要指定自己的日志名称,要搜索的文本和文件外路径.
You need to specify your own logname, text to be searched and outfile path.
格式表消息-wrap -autosize"可确保您的消息/异常不会被截断.如果要查找除Message以外的其他字段,请使用适当的字段名称替换"$ _.Message".
The "format-table Message -wrap -autosize" makes sure that your messages/exceptions won't be truncated. If you want to look up by another field other than Message, then replace "$_.Message" with the appropriate field name.
欢呼声
这篇关于使用正则表达式在事件查看器中过滤事件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
