Eventlog存档

问题描述 投票:0回答:1
$EventLog = Get-WmiObject Win32_NTEventlogFile -Filter "LogFileName = 'Security'"
$Date = Get-Date -Format yyyyMMdd

$Path = "C:\Users\aamouss\Desktop\SecurityLogs"

$EventLog.BackupEventlog("$Path\$env:COMPUTERNAME`_Security_$Date.evt")

Clear-EventLog -LogName Security

我正在运行上面的脚本,但收到下面的错误。

您不能在空值表达式上调用方法。在第6行char:1+ $ EventLog.BackupEventlog(“ $ Path \ $ env:COMPUTERNAME` Security $ Date.evt ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~+ CategoryInfo:InvalidOperation:(:) [],RuntimeException+ FullyQualifiedErrorId:InvokeMethodOnNull

powershell event-log
1个回答
0
投票
在错误指示的行中,

$EventLog是唯一可能是$null的东西。如果我尝试执行初始化$EventLog的命令,则会发现它不返回任何内容...

PS> Get-WmiObject Win32_NTEventlogFile -Filter "LogFileName = 'Security'"
PS>

如果我从该-Filter命令中删除Get-WmiObject,这是我作为标准用户在Windows 10系统上看到的日志...

PS> Get-WmiObject Win32_NTEventlogFile

FileSize LogfileName            Name                                                        NumberOfRecords
-------- -----------            ----                                                        ---------------
15798272 Application            C:\WINDOWS\System32\Winevt\Logs\Application.evtx                      27698
   69632 HardwareEvents         C:\WINDOWS\System32\Winevt\Logs\HardwareEvents.evtx                       0
   69632 Internet Explorer      C:\WINDOWS\System32\Winevt\Logs\Internet Explorer.evtx                    0
   69632 Key Management Service C:\WINDOWS\System32\Winevt\Logs\Key Management Service.evtx               0
   69632 Parameters             C:\WINDOWS\System32\Winevt\Logs\Parameters.evtx                           0
   69632 State                  C:\WINDOWS\System32\Winevt\Logs\State.evtx                                0
14749696 System                 C:\WINDOWS\System32\Winevt\Logs\System.evtx                           24168
15732736 Windows PowerShell     C:\WINDOWS\System32\Winevt\Logs\Windows PowerShell.evtx               10470

...以及高级用户...

PS> Get-WmiObject Win32_NTEventlogFile

FileSize LogfileName            Name                                                        NumberOfRecords
-------- -----------            ----                                                        ---------------
15798272 Application            C:\WINDOWS\System32\Winevt\Logs\Application.evtx                      27698
   69632 HardwareEvents         C:\WINDOWS\System32\Winevt\Logs\HardwareEvents.evtx                       0
   69632 Internet Explorer      C:\WINDOWS\System32\Winevt\Logs\Internet Explorer.evtx                    0
   69632 Key Management Service C:\WINDOWS\System32\Winevt\Logs\Key Management Service.evtx               0
   69632 Parameters             C:\WINDOWS\System32\Winevt\Logs\Parameters.evtx                           0
20975616 Security               C:\WINDOWS\System32\Winevt\Logs\Security.evtx                         29714
   69632 State                  C:\WINDOWS\System32\Winevt\Logs\State.evtx                                0
14749696 System                 C:\WINDOWS\System32\Winevt\Logs\System.evtx                           24170
15732736 Windows PowerShell     C:\WINDOWS\System32\Winevt\Logs\Windows PowerShell.evtx               10477

注意Security日志仅在提升cmdlet运行时可用。因此,如果我以提升权限的用户身份运行原始命令,则可以访问Security日志...

PS> Get-WmiObject Win32_NTEventlogFile -Filter "LogFileName = 'Security'"

FileSize LogfileName Name                                          NumberOfRecords
-------- ----------- ----                                          ---------------
20975616 Security    C:\WINDOWS\System32\Winevt\Logs\Security.evtx           29723

来自Event Logging Security ...

Security日志旨在供系统使用。但是,如果用户已被授予Security特权(“管理审核和安全日志”用户权限),则可以读取并清除SE_SECURITY_NAME日志。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.