有时你可能会需要分析系统文件将他们传输到硬盘，或你想直接从“evtx”读取系统日志。

你可以这样做：

复制代码 代码如下:

$path = "$env:windirSystem32WinevtLogsSetup.evtx"

Get-WinEvent -Path $path

另附上一段获取系统日志的代码

复制代码 代码如下:

$StartTime = (get-date).Date + (new-timespan -Hours 6 -Minutes 35)

$EndTime = (get-date).Date + (new-timespan -Hours 6 -Minutes 36)

$global:TaskStart

$Global:TaskComplete

$Global:events

$Global:event

$Global:TimeSpent

$Global:events = get-winevent -FilterHashtable @{logname = "Microsoft-Windows-TaskScheduler/Operational"; ID=107;StartTime=$StartTime;EndTime=$EndTime}

Foreach($Global:event in $Global:events)

{

cls

$StartLogs=get-winevent -FilterHashtable @{logname = "Microsoft-Windows-TaskScheduler/Operational";ID=100;StartTime=$StartTime}

$CompleteLogs=get-winevent -FilterHashtable @{logname = "Microsoft-Windows-TaskScheduler/Operational";id=102;StartTime=$StartTime}

$global:TaskStart=$StartLogs | where {$_.ActivityId -eq $Global:event.ActivityId}

$Global:TaskComplete=$CompleteLogs | where {$_.ActivityId -eq $Global:event.ActivityId}

$global:TimeSpent=($global:TaskComplete.timeCreated-$global:TaskStart.timeCreated).TotaLMinutes

if(($global:TaskStart -ne $NULL) -and ($Global:TaskComplete -ne $null) -and ($Global:TimeSpent -gt 1)){

$Messagebody="Sync task started at: "+$global:TaskStart.TimeCreated.DateTime+"`r`n"

$Messagebody=$Messagebody+"`r`nSync task completed at: "+$global:TaskComplete.timeCreated.DateTime+"`r`n"

$Messagebody=$Messagebody+"`r`nTask lasted for "+("{0:N2}" -f ($Global:TimeSpent) )+" minutes"

Send-MailMessage -From "CustomerLog@avepoint.com" -To "Zhijie.bai@avepoint.com","Infrastructure_cn@avepoint.com" -Subject "Customer Logs Sync Report:Success" -Body $Messagebody -SmtpServer "10.100.100.153" -Encoding UTF8

}

else{

$Messagebody="########################################################################`r`n"

$Messagebody=$Messagebody+"`r`nCustom logs Sync failed, please login 10.2.0.125 to check and sync again`r`n"

$Messagebody=$Messagebody+"`r`n########################################################################`r`n"

Send-MailMessage -From "CustomerLog@avepoint.com" -To "Zhijie.bai@avepoint.com","Infrastructure_cn@avepoint.com" -Subject "Customer Logs Sync Report:Failed" -Body $Messagebody -SmtpServer "10.100.100.153" -Encoding UTF8 -Priority High

}

}

支持Powershell所有版本

【Powershell小技巧之从文件获取系统日志】相关文章：

★ Powershell小技巧之使用WMI测试服务响应

★ PowerShell小技巧之获取TCP响应(类Telnet)

★ PowerShell中按修改时间查找文件的方法

★ PowerShell获取系统环境变量的方法

★ PowerShell遍历文件、文件夹的方法

★ Powershell小技巧之获取字符串的行数

★ PowerShell小技巧之尝试ssh登录

★ Windows Powershell 快捷键介绍

★ Powershell小技巧之使用Copy-Item添加程序到开机启动

★ Powershell小技巧之系统运行时间