2022 年 11 月 10 日更新
我添加了时间框架参数,但我收到了空正文的错误消息。我该如何防止这种情况?
这是我当前的脚本:
$Subject = "EventLogAlert {0:yyyy-MM-dd HH:mm:ss} on $env:COMPUTERNAME" -f (Get-Date)
$Server = "smtp.server"
$From = "[email protected]"
$To = "[email protected]"
$Pwd = ConvertTo-SecureString "******" -AsPlainText –Force
#(Warning! Use a very restricted account for the sender, because the password stored in the script will be not encrypted)
$Cred = New-Object System.Management.Automation.PSCredential("[email protected]" , $Pwd)
$encoding = [System.Text.Encoding]::UTF8
$EndTime = Get-Date
$StartTime = (Get-Date).AddMinutes(-15)
$events = Get-WinEvent -FilterHashtable @{LogName="Application";ID=400;ProviderName="ProviderNameGoesHere";StartTime=$StartTime;EndTime=$EndTime} |
Where-Object {$_.Message -like '*StingToLookFor*'} |
Select-Object -Property TaskDisplayName,ID,TimeCreated,Message -First 1
$Body = $events
Send-MailMessage -From $From -To $To -SmtpServer $Server -Body "$Body" -Subject $Subject -Credential $Cred -Encoding $encoding
错误信息:
At C:\ps\script_name:1 char:1
+ script name: script_name.ps1
+ ~~~~~~
+ CategoryInfo : ObjectNotFound: (script:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Get-WinEvent : No events were found that match the specified selection criteria.
At C:\ps\script_name.ps1:22 char:14
+ ... events = Get-WinEvent -FilterHashtable @{LogName="Application";ID= ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventComm
and
Send-MailMessage : Cannot validate argument on parameter 'Body'. The argument is null or empty.
Provide an argument that is not null or empty, and then try the command again.
At C:\ps\script_name.ps1:29 char:64
+ ... Message -From $From -To $To -SmtpServer $Server -Body "$Body" -Subje ...
+ ~~~~~~~
+ CategoryInfo : InvalidData: (:) [Send-MailMessage], ParameterBindingValidationExce
ption
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.Send
MailMessage
原帖 2022 年 10 月 10 日
我是 PowerShell 的新手。我正在开发一个脚本来监视特定字符串的应用程序日志。下面的脚本有效,但我需要帮助限制搜索的时间范围。现在它搜索整个日志。我只想搜索最后 15 分钟,并且仅在此时间范围内匹配时才发送电子邮件。该脚本通过任务计划程序每 10 分钟运行一次。
有人可以指导我解决这个问题吗?
#Mail SMTP Setup Section
$Subject = "EventLogAlert {0:yyyy-MM-dd HH:mm:ss} on $env:COMPUTERNAME" -f (Get-Date)
$Server = "smtp.server"
$From = "[email protected]"
$To = "[email protected]"
$Pwd = ConvertTo-SecureString "enterpassword" -AsPlainText –Force password
$Cred = New-Object System.Management.Automation.PSCredential("[email protected]" , $Pwd) #Sender account credentials
$encoding = [System.Text.Encoding]::UTF8
$events = Get-WinEvent -FilterHashtable @{LogName="Application";ID=400;ProviderName="ProviderNameGoesHere"} |
Where-Object {$_.Message -like '*StingToLookFor*'} |
Select-Object -Property TaskDisplayName,ID,TimeCreated,Message
$Body=Get-WinEvent -FilterHashtable @{LogName="Application";ID=400;ProviderName='ProviderNameGoesHere'} | Select TimeCreated,Message | select-object -First 1
Send-MailMessage -From $From -To $To -SmtpServer $Server -Body "$Body" -Subject $Subject -Credential $Cred -Encoding $encoding
您可以将此代码添加到脚本中,以设置开始时间、结束时间以及将它们传递给 get-winevent。
编辑:使用 try/catch 解决评论。现在,当 get-winevent 在过去 15 分钟内没有结果时,它会简单地打印没有结果,并且不会在控制台中发送电子邮件。如果您希望它仍然发送一封电子邮件说没有事件,然后将 send-mailmessage 行粘贴到 write-host 所在的 catch 块中,并将“$body”更改为简单地读取“no results”
Narzard 的回答涵盖了它,但另一种按相对时间搜索的方法是使用 xml XPath(您可以从事件查看器过滤器中复制/粘贴):
XPath 更加冗长,但可以让您搜索事件数据属性,例如用户名