NT事件日志XPath查询

Question

我有一个现有的脚本，让我们这样说：

set cimv2=getobject("winmgmts:root\cimv2")
set evcol=cimv2.execquery("select * from win32_ntlogevent where logfile='System' and (sourcename='Microsoft-Windows-Kernel-General' or sourcename='Disk')")

for each evt in evcol
  wscript.echo evt.timewritten & ": " & evt.sourcename & ", " & evt.type & ", " & evt.eventcode & ", " & evt.message  
next

有没有办法可以用XPath查询而不是WMI select查询来查询Windows事件日志？

例如：

*[System[Provider[@Name='Microsoft-Windows-Disk' or @Name='Microsoft-Windows-Kernel-General']]]

编辑:我仍然希望将VBscript集合作为对象，而不仅仅是执行"wevtutil“。

Answer 1

PowerShell Get-WinEvent cmdlet有一个-FilterXPath参数，您可以向该参数传递XPath表达式：

$xpath = "*[System[Provider[@Name='Microsoft-Windows-Disk' or @Name='Microsoft-Windows-Kernel-General']]]"
Get-WinEvent -LogName 'Security' -FilterXPath $xpath

在VBScript中，您需要外壳wevutil，然后将数据加载到DOMDocument对象中：

Function qq(s) : qq = """" & s & """" : End Function

xpath    = "*[System[Provider[@Name='Microsoft-Windows-Disk' or @Name='Microsoft-Windows-Kernel-General']]]"
datafile = "C:\temp.xml"

Set sh  = CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")

Set evt = sh.Exec("cmd /c wevtutil qe Security /q:" & qq(xpath) & " > " & qq(datafile))

While evt.Status = 0 : WScript.Sleep 100 : Wend

Set xml = CreateObject("Msxml2.DOMDocument.6.0")
xml.async = False
xml.loadXML "<events>" & fso.OpenTextFile(datafile).ReadAll & "</events>"

If xml.parseError <> 0 Then
  WScript.Echo xml.parseError.reason
  WScript.Quit 1
End If

有关通过XPath表达式筛选事件日志的详细信息，请参阅here。