0

我有一个主机名列表,我想从中提取所有与 AppLocker 相关的事件日志,尤其是具有级别警告和/或错误的事件日志。我制作了这个脚本:

$ComputersToCheck = Get-Content 'X:\ListWithTheNames.txt'
foreach($OneHost in $ComputersToCheck)
{
try
{
    $EventCollection = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ComputerName $OneHost -Credential $CredentialFromUser
    foreach ($SingelEvent in $EventCollection)
    {
        if($SingelEvent.LevelDisplayName -ne "Information")
        {
            $pathtosaveto = 'SomeFileName.txt'
            $ResultString += $SingelEvent | Select Message,MachineName,UserId | Export-Csv -Path $pathtosaveto -Append                
            }
        }
    }
catch 
{
    //handling exceptions
 }    
}

这工作了一段时间,但在一定的时间后,我得到了一个错误:

Get-WinEvent : The remote procedure call failed
At X:\FileName.ps1:22 char:28
+         $EventCollection = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EX ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
+ FullyQualifiedErrorId : The remote procedure call failed,Microsoft.PowerShell.Commands.GetWinEventCommand

在脚本开始给出这样的错误之后:

Get-WinEvent : The handle is invalid
At X:\FileName.ps1:22 char:28
+         $EventCollection = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EX ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException
+ FullyQualifiedErrorId : The handle is invalid,Microsoft.PowerShell.Commands.GetWinEventCommand

我的第一个想法是它与脚本试图到达的主机有关,但列表中的下一个与上一个是相同的类型(Os,甚至是相同的型号)。

我运行了脚本 3 次,每次输出大小都不同(可能是因为不同的主机在线并具有相同数量的日志)。该脚本应针对 700 多个主机运行,需要一个特殊帐户,我通过 Get-Credential 提示,将其存储在一个变量中并将 Get-WinEvent 作为参数传递给它。

老实说,我坚持这个问题,不确定是什么原因造成的,为什么。

如果有人有想法,请与我分享:)

4

1 回答 1

0

尝试捕获对失败主机和空对象的引用。您可以编写收到的异常,但我没有将其包含在其中以使 failedhosts 文件易于阅读。希望我在飞行时做对了,并且没有要测试的真实案例。

$ComputersToCheck = Get-Content 'X:\ListWithTheNames.txt'
foreach($OneHost in $ComputersToCheck) {
try {
    $EventCollection = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ComputerName $OneHost -Credential $CredentialFromUser -ErrorAction Stop

    if($EventCollection) { 
        foreach ($SingelEvent in $EventCollection) {
            if($SingelEvent.LevelDisplayName -ne "Information") {
                $pathtosaveto = 'SomeFileName.txt'
                $ResultString += $SingelEvent | Select Message,MachineName,UserId | Export-Csv -Path $pathtosaveto -Append                
                }
            }
        } else {
            Out-File -InputObject $($OneHost + " Empty Event Collection") -FilePath "C:\FailedHosts.txt" -Append -Encoding ascii 
        }
    } 
catch {
    Out-File -InputObject $($OneHost + " Failed Connection") -FilePath "C:\FailedHosts.txt" -Append -Encoding ascii 
 }    
}
于 2016-03-02T22:53:45.180 回答