读取特定的Windows事件日志事件 [英] Read Specific Windows Event Log Event

问题描述

我正在开发一个程序，需要了解如何根据记录号读取Windows事件日志中的特定条目，该脚本已经拥有该记录号.下面是我一直在使用的代码，但是在找到需要的事件之前，我不想遍历所有事件.有什么想法吗?

I am working on a program and need ot know how I would read a specific entry to the Windows Event Log based on a Record number, which this script will already have. Below is the code I have been working with, but I don't want to loop through all of the events until I find the one I'm looking for. Any ideas?

import win32evtlog

server = 'localhost' # name of the target computer to get event logs
logtype = 'System'
hand = win32evtlog.OpenEventLog(server,logtype)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)

while True:
    events = win32evtlog.ReadEventLog(hand, flags,0)
    if events:
        for event in events:
            if event.EventID == "27035":
                print 'Event Category:', event.EventCategory
                print 'Time Generated:', event.TimeGenerated
                print 'Source Name:', event.SourceName
                print 'Event ID:', event.EventID
                print 'Event Type:', event.EventType
                data = event.StringInserts
                if data:
                    print 'Event Data:'
                    for msg in data:
                        print msg
                break

推荐答案

否！没有可用的功能可让您根据事件ID获取事件.

No! There are no functions available which allows you to obtain the event based on event id.

参考:事件记录功能

GetNumberOfEventLogRecords  Retrieves the number of records in the specified event log.
GetOldestEventLogRecord     Retrieves the absolute record number of the oldest record 
                            in the specified event log.
NotifyChangeEventLog        Enables an application to receive notification when an event
                            is written to the specified event log.

ReadEventLog                Reads a whole number of entries from the specified event log.
RegisterEventSource         Retrieves a registered handle to the specified event log.

只有其他感兴趣的方法正在读取最早的事件.

Only other method of interest is reading the oldest event.

您将不得不以任何方式遍历结果，而您的方法是正确的:)

You will have to iterate through the results any way and your approach is correct :)

您只能像下面那样更改方法的形式，但这是不必要的.

You can only change the form of your approach like below but this is unnecessary.

events = win32evtlog.ReadEventLog(hand, flags,0)
events_list = [event for event in events if event.EventID == "27035"]
if event_list:
    print 'Event Category:', events_list[0].EventCategory

这与您所做的相同，但更加简洁

This is just the same way as you are doing but more succinct

这篇关于读取特定的Windows事件日志事件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！