- Sebenzisa i-FilterHashtable ukuze uhlunge emthonjeni ngeLeveli, i-Id, i-ProviderName, namabanga wesikhathi.
- Isekela i-XPath/XML yezihlungi ezithuthukisiwe nezingafakwanga (Suppress/SuppressHashFilter).
- Hlanganisa okuningi izingodo kanye namafayela .evtx/.etl; -Oldest and -MaxEvents ithuthukisa ukugeleza.
Hlunga imicimbi kusuka Windows ngezinga (okubucayi, iphutha noma isexwayiso) nge I-PowerShell Ungomunye waleyo misebenzi ekongela amahora uma uphenya izigameko. I-cmdlet Thola i-WinEvent, etholakala kuphela ku-Windows, ikuvumela ukuthi wenze lokhu ngempumelelo enkulu, ikakhulukazi uma usebenzisa ipharamitha ye-FilterHashtable esikhundleni sokubopha i-Where-Object.
Ngaphandle kokuba ngokushesha futhi scalable moreI-Get-WinEvent inikeza amamodeli emibuzo amathathu: ithebula le-hashi (FilterHashtable), XPath, kanye ne-XML ehlelekile. Ngalawa, ungakwazi ukubuza amalogi endawo noma akude, uhlanganise imithombo eminingi, ufunde amafayela e-.evtx kanye ne-.etl, futhi ukhiphe amaleveli athile noma amaphethini—konke ngaphandle kokudonsa izinkulungwane zezinto ngepayipi.
I-Get-WinEvent vs. Get-EventLog: Isetshenziswa Nini Ngayinye
Yize womabili ama-cmdlets ebuyisela imicimbi, I-Get-EventLog iyi-cmdlet yakudala okuqondiswe kumalogi endabuko (Uhlelo Lokusebenza, Uhlelo, Ukuphepha) kwe- I-Windows Event Manager futhi ihlakaniphile ukuyisebenzisela ukuphequlula ngokushesha. Nokho, i-Get-WinEvent iwukumiselela kwesimanje: ifinyelela amalogi asekelwe kubuchwepheshe be-Windows Eventing, iqonda i-XML, i-XPath, i-ETW (.etl), futhi inikeza ukusebenza okuphakeme ngezihlungi zeleveli yomthombo.
Isincomo esisebenzayo siwukuthi Sebenzisa i-Get-EventLog ukuthola izikena ezilula kusukela ezingodweni zakudala futhi uthembele ku-Get-WinEvent lapho udinga ukuhlunga ngokunembile, finyelela amalogi esimanje, funda amafayela alondoloziwe, hlanganisa imithombo, noma ucindezela ukusebenza nge-FilterHashtable.
Ukutholakala, okokufaka kanye nemiphumela
Thola i-WinEvent Itholakala kuphela ku-Windows futhi ayisekelwe ku-Windows PE. Ngokuzenzakalelayo, ibuyisela izinto ze-EventLogRecord; nge -ListLog ibuyisela i-EventLogConfiguration, futhi nge -ListProvider, ibuyisela i-ProviderMetadata. Ungakwazi ukuphayipha i-LogName (iyunithi yezinhlamvu), umbuzo we-FilterHashtable (Hashtable), noma i-XmlDocument ku-FilterXml.
Uma ungayisebenzisi i-PowerShell njengomlawuli, ungabona amaphutha okufinyelela ezingodweni ezithile. Gcina lokhu engqondweni lapho ubuza Ukuphepha, Ukulungisa iphutha, noma Izibalo; -I-Force isiza ukuveza ukulungisa iphutha/ukuhlaziya uma usebenzisa amakhadi asendle emagameni okungena.
I-syntax esebenzayo ngamasethi wepharamitha
I-Get-WinEvent isekela amasethi ambalwa: I-GetLogSet (nge- -LogName nezihlungi njenge -FilterXPath), ListLogSet (-ListLog), ListProviderSet (-ListProvider), I-GetProviderSet (-ProviderName), I-FileSet (-Indlela eya ku-.evtx/.etl/.evt), I-HashQuerySet (-FilterHashtable) kanye I-XmlQuerySet (-HlungaXml). I-oda elizenzakalelayo lithi entsha kuya endala, ngaphandle uma usebenzisa -Oldest noma ufunda .etl/.evt, edinga ukuhlehliswa kwe-oda.
Izibonelo ezijwayelekile ze-syntax: uhlu izingodo noma abahlinzeki, buza ngegama lelogi, funda amafayela agciniwe, noma ubeke umkhawulo ngenani lemicimbi.
# Listar logs y proveedores
Get-WinEvent -ListLog *
Get-WinEvent -ListProvider *
# Consultar un log concreto (más recientes primero)
Get-WinEvent -LogName 'Application' -MaxEvents 100
# Leer un archivo de registro guardado (.evtx)
Get-WinEvent -Path 'C:\\Test\\Windows PowerShell.evtx' -MaxEvents 100
# Leer un ETW (.etl) en orden cronológico y quedarte con los últimos 100
Get-WinEvent -Path 'C:\\Tracing\\TraceLog.etl' -Oldest | Sort-Object TimeCreated -Descending | Select-Object -First 100Kungani i-FilterHashtable ishesha kune-Who-Object
uma usebenza nawe amarekhodi voluminousAkuphumelelanga ukulanda izinkulungwane zemicimbi bese uyihlunga ngokuthi-where-Object. I-FilterHashtable isebenzisa isihlungi emthonjeni futhi isheshisa umbuzo. Gwema amaphethini afana nalawa:
# Evitar: traer todo y filtrar después
Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -match 'defrag' }Kunalokho, hlunga nge IsihlungiHashtable Ukusebenzisa ama-wildcards emthonjeni:
# Mejor: filtrar en origen con ProviderName
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='*defrag' }HlungaHashtable kusukela ikhava kuya ikhava
Ipharamitha iyamukela itafula elilodwa noma ngaphezulu ngamapheya enani elingukhiye. Imithetho engukhiye: ayizweli, ukhiye ngamunye uvela kanye kuphela, amakhadi asendle avunyelwe kuphela ku-LogName naku-ProviderName, futhi i-Path yamukela izindlela eziya ku-.etl, .evt, kanye ne-.evtx. Ungakwazi ukuhlanganisa i-LogName, Indlela, ne-ProviderName embuzweni ofanayo.
Okhiye abavumelekile bahlanganisa I-LogName, ProviderName, Indlela, Amagama angukhiye, I-Id, Izinga, Isikhathi Sokuqala, Isikhathi Sokuphela, I-UserID, Idatha kanye nezinkambu zedatha eziqanjwe ( ). Ngaphezu kwalokho, kukhona ukhiye okhethekile SuppressHashFilter ukukhipha imibandela embuzweni (isibonelo, hlunga ulwazi).
# Esqueleto típico, añadiendo claves poco a poco
Get-WinEvent -FilterHashtable @{ LogName='Application' }
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='.NET Runtime' }
# Excluir nivel Informational (4) en los últimos 2 días
$desde = (Get-Date).AddDays(-2)
$filter = @{ LogName='Application'; StartTime=$desde; SuppressHashFilter=@{ Level=4 } }
Get-WinEvent -FilterHashtable $filterNgedatha eqanjwe igama, ungahlunga ngokuthi Izinto ze-EventData. Ngokwesibonelo, umcimbi nge I-BITS Kuthintwa kanje:
Get-WinEvent -FilterHashtable @{ LogName='Application'; 'Service'='BITS' }Hlunga ngeleveli: okubucayi, amaphutha, nezixwayiso
Isihluthulelo Izinga Isebenzisa amanani abaliwe (hhayi iyunithi yezinhlamvu). Amazinga yilawa: LogAlways=0, Critical=1, Iphutha=2, Isexwayiso=3, Ulwazi=4, Verbose=5. Ungabona amagama usebenzisa ikilasi elithi .NET System.Diagnostics.Eventing.Reader.StandardEventLevel.
# Obtener niveles de evento como propiedades estáticas
| Get-Member -Static -MemberType PropertyUkuhlunga kuphela amaphutha kuhlelo lokusebenza:
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level=2 }Uma ukhetha amagama, sebenzisa isakhiwo Inani__ kusukela ekubalweni:
$lvl = ::Error
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level=$lvl.Value__ }para izixwayiso (3) futhi okubucayi (1):
Get-WinEvent -FilterHashtable @{ LogName='System'; Level=3 }
Get-WinEvent -FilterHashtable @{ LogName='System'; Level=1 }Hlunga nge-ID yomcimbi kanye nomhlinzeki
Isihluthulelo Id (noma i-ID) isekela amaqembu aphelele. Lokhu kuwusizo kakhulu uma wazi isihlonzi esiqondile (isb., 1023 yemicimbi ethile ye-.NET Runtime). Ungahlanganisa i-ProvidentName ku iqhubeke inciphise:
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='.NET Runtime'; Id=1023; Level=2 }Hlunga ngamagama angukhiye
Amagama angukhiye ngu-a inani lohlobo olude (noma uhlu olude) futhi ayizamukeli izintambo. Kunamagama angukhiye ajwayelekile achazwe ku-.NET: AuditFailure=4503599627370496, AuditSuccess=9007199254740992, CorrelationHint2=18014398509481984, EventLogClassic=36028797018963968 Sqm=2251799813685248, WdiDiagnostic=1125899906842624, WdiContext=562949953421312, ResponseTime=281474976710656, None=0.
Ukubonisana ngu I-EventLogClassic, sebenzisa inani lenombolo noma indawo emile eneValue__:
# Con valor numérico directo
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='.NET Runtime'; Keywords=36028797018963968 }
# Con enumeración
$kw = ::EventLogClassic
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='.NET Runtime'; Keywords=$kw.Value__ }Isikhathi, umsebenzisi kanye nobubanzi bedatha
Ukuze unciphise ngezinsuku, sebenzisa I-StartTime ne-EndTimeUngakwazi futhi ukuhlunga nge-UserID nge-SID evumelekile noma igama le-akhawunti elixazululwa ku-NTAccount. Idatha ikuvumela ukuthi uhlunge izinkambu ezingashiwongo (okujwayelekile kwamarekhodi akudala).
$start = (Get-Date).AddDays(-7)
Get-WinEvent -FilterHashtable @{ LogName='Application'; StartTime=$start; UserID='S-1-5-18' }I-XPath ne-XML Eyakhiwe (Imibuzo Ethuthukisiwe)
Ngezimo eziyinkimbinkimbi, ungasebenzisa I-XPath noma umbuzo ogcwele we-XML. Isibonelo, izehlakalo zeleveli Yesexwayiso (3) ezenzeke emahoreni angu-24 edlule kulogi:
# XPath directo
$xp = '*]]'
Get-WinEvent -LogName 'Windows PowerShell' -FilterXPath $xp
# XML estructurado (útil para el editor de filtros del Visor de eventos)
$xml = @'
<QueryList>
<Query Path='Windows PowerShell'>
<Select Path='System'>*]]</Select>
</Query>
</QueryList>
'@
Get-WinEvent -FilterXml $xmlInzuzo ye-XML ukuthi isekela i-elementi Cindezela ukukhipha imicimbi; nge-FilterHashtable unokufana okusebenzayo: SuppressHashFilter ukukhipha amaleveli afana noLwazi.
Hlanganisa izingodo eziningi nemiphumela yeqembu
I-Get-WinEvent ikuvumela ukuthi ubuze amalogi amaningi ngephasi eyodwa futhi iqembu ngezakhiwo ukuze kuhlaziywe. Isibonelo, iqembu nge-LevelDisplayName ne-LogName:
Get-WinEvent -LogName '*PowerShell*', 'Microsoft-Windows-Kernel-WHEA*' |
Group-Object -Property LevelDisplayName, LogName -NoElement |
Format-Table -AutoSizeUkuthola izibalo zelogi ethile futhi uqonde ukuthi yimaphi ama-ID namaleveli ahamba phambili:
$ev = Get-WinEvent -LogName 'Windows PowerShell'
$ev.Count
$ev | Group-Object Id -NoElement | Sort-Object Count -Descending
$ev | Group-Object LevelDisplayName -NoElementUhlu lwamalogi nabahlinzeki; thola ukuthi yini ozoyibhala
Ngaphambi kokuthi uhlunge, kuwumqondo omuhle ukwazi ukuthi yini etholakalayo. Ungakwazi bhala wonke amarekhodi nabahlinzeki, kanye nokubuka abahlinzeki ababhalela kulogi ethile; sebenzisa -ListLog kanye -ListProvider ukuze uthole indawo log amafolda:
# Todos los logs
Get-WinEvent -ListLog *
# Todos los proveedores
Get-WinEvent -ListProvider *
# Proveedores que escriben en 'Application'
(Get-WinEvent -ListLog 'Application').ProviderNames
# IDs emitidos por un proveedor
(Get-WinEvent -ListProvider 'Microsoft-Windows-GroupPolicy').Events | Format-Table Id, DescriptionUkufunda amafayela we-.evtx nokulandelelwa kwe-ETW (.etl)
Ngaphezu kokubhaliswa okusebenzayo, ungakwazi vula amafayela agciniwe, kuhlanganise nemikhondo I-ETW (.etl)Nge-.evtx, i-oda lokuhlunga elizenzakalelayo lilisha kakhulu kunendala, futhi nge-.etl, udinga -Okudala kakhulu ukuze ulondoloze ukulandelana kwezikhathi. Kungenzeka ukuhlanganisa zombili izinhlobo emyalweni owodwa uma uhlunga ngezici ezivamile njenge-Id.
# .evtx más recientes
Get-WinEvent -Path 'C:\\Test\\PowerShellCore Operational.evtx' -MaxEvents 100
# Combinar .etl y .evtx y filtrar por Id=403
Get-WinEvent -Path 'C:\\Tracing\\TraceLog.etl', 'C:\\Test\\Windows PowerShell.evtx' -Oldest |
Where-Object { $_.Id -eq 403 }Imibuzo ekude, imininingwane kanye nokusebenza
cunt -ComputerName Ukhomba enye ikhompuyutha nge-NetBIOS, IP, noma i-FQDN (yamukela inani elilodwa ngesikhathi). Uma udinga ukuqinisekiswa okuqondile, sebenzisa -Credential (PSCredential). Khumbula ukuvula izimbobo zesevisi Yerekhodi Lomcimbi ku-firewall yakho ukuze ufinyelele ukude; akuncikile ku-PowerShell Remoting.
# Logs con datos en localhost
Get-WinEvent -ListLog * -ComputerName 'localhost' | Where-Object { $_.RecordCount }para idatha enkulu, khawula nge -MaxEvents bese uhlunga emthonjeni nge-FilterHashtable noma i-XPath/XML. Gwema Indawo-Into ngaphandle uma ingekho enye indlela.
Izimo zokuhlunga eziwusizo ngokweleveli
Amaphutha ohlelo (leveli 2) osuku lokugcina ngo Isicelo, ngesihlungi emthonjeni:
$hace24h = (Get-Date) - (New-TimeSpan -Day 1)
Get-WinEvent -FilterHashtable @{ LogName='Application'; Level=2; StartTime=$hace24h }Izexwayiso (3) namaphutha (2) avela kumhlinzeki 'Iphutha Lohlelo' asho 'iexplore.exe' ezinsukwini eziyi-7 ezedlule, kusetshenziswa ukhiye. Idatha ngezinkambu ezingashiwongo:
$desde = (Get-Date).AddDays(-7)
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='Application Error'; Data='iexplore.exe'; StartTime=$desde }Amaphutha .NET Isikhathi sokusebenza (I-Id 1023) imakwe njenge-EventLogClassic:
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='.NET Runtime'; Keywords=36028797018963968; Id=1023; Level=2 }Hlunga nge-ID yomcimbi kanye nomhlinzeki
Isihluthulelo Id (noma i-ID) isekela amaqembu aphelele. Lokhu kuwusizo kakhulu uma wazi isihlonzi esiqondile (isb., 1023 yemicimbi ethile ye-.NET Runtime). Ungahlanganisa i-ProvidentName ku iqhubeke inciphise:
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='.NET Runtime'; Id=1023; Level=2 }Ukuskena Okusheshayo nge-Get-EventLog (nokuthi Kungani Uthutha)
I-Get-EventLog isasebenza kuyo imibuzo esheshayo kumalogi akudala namakhompyutha akude. Isibonelo, amaphutha esistimu angu-5 okugcina aqukethe igama elithi 'yehlulekile':
Get-EventLog -LogName System -EntryType Error -Newest 5 -Message *failed* | Format-List *Ngezikhawu zesikhathi nokubala okuyisisekelo nakho kuyasiza, kodwa khumbula lokho ayifinyeleli kwamanye amarekhodi yesimanje, nokuthi i-Microsoft ibeka i-Get-WinEvent njengokungena esikhundleni ku-Windows Vista nakamuva, okuhlanganisa Windows 11.
Amasu emibuzo akhuphukayo
Indlela eqinile yokwakha izihlungi engeza okhiye isinyathelo ngesinyathelo, ihlola umphumela ekuphindaphindweni ngakunye. Qala nge-LogName, engeza i-ProviderName, bese Amagama angukhiye, i-Id, kanye neleveli, bese uphetha ngokunciphisa i-StartTime/EndTime.
# 1) Solo el log
Get-WinEvent -FilterHashtable @{ LogName='Application' }
# 2) Añade proveedor
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='.NET Runtime' }
# 3) Añade palabra clave
$kw = ::EventLogClassic
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='.NET Runtime'; Keywords=$kw.Value__ }
# 4) Añade Id y Level
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='.NET Runtime'; Keywords=$kw.Value__; Id=1023; Level=2 }Faka ohlwini futhi uqonde Amagama angukhiye namaleveli
Ungabhala amagama namanani we StandardEventKeywords y I-StandardEventLevel ngokuqondile ne-Get-Member:
| Get-Member -Static -MemberType Property
| Get-Member -Static -MemberType PropertyAmanani Angukhiye Ajwayelekile (igama=value): AuditFailure=4503599627370496, AuditSuccess=9007199254740992, CorrelationHint2=18014398509481984, EventLogClassic=36028797018963968, Sqm=2251799813685248, WdiDiagnostic=1125899906842624, WdiContext=562949953421312, ResponseTime=281474976710656, None=0.
Amanani Amazinga: Ngena Njalo=0, Okubucayi=1, Iphutha=2, Isexwayiso=3, Ulwazi=4, Verbose=5. Ukusebenzisa izinombolo kuvimbela amaphutha okuguqulwa, kodwa inqubo Value__ ikuvumela ukuthi ugcine ifayela le- ikhodi efundekayo.
Phoqa amalogi okususa iphutha/ukuhlaziya nokuhleleka kokuphumayo
Ukususa iphutha nokuhlaziya amalogi kukhona khipha ngokuzenzakalela. -Amandla ayadingeka uma usebenzisa amakhadi asendle ku- -ListLog ukuze uwafake. Khumbula ukuthi i-.evt kanye ne-.etl zidinga -Okudala kakhulu ngoba zigcina imicimbi ngokulandelana kwesikhathi futhi zingafundwa ngaleyo ndlela kuphela.
Ukuhlanganiswa Kwedathadog: Izihlungi Nokuphepha
Uma udlulisela imicimbi ku-Datadog, unezinhlobo ezimbili: I-Event Logs API (kunconyiwe) kanye nemodi yefa (i-WMI, yehlisiwe kusukela ku-Agent 7.20). Lungiselela izimo kokuthi 'win32_event_log.d/conf.yaml'. Nge-legacy_mode: amanga, sebenzisa 'indlela' yesiteshi; isekela 'indlela' (Uhlelo Lokusebenza, Isistimu, Ukusethwa, Ukuvikeleka), 'uhlobo' (Olubucayi, Iphutha, Isexwayiso, Ulwazi, Ukuhlolwa Kwempumelelo, Ukuhlola Okungaphumeleli), 'umthombo' kanye nezihlungi 'ze-id'.
Ungasebenzisa futhi umbuzo nge-XPath/XML (izihlungi azinakwa uma usebenzisa umbuzo). Kunconywa ukwakha umbuzo kusibukeli somcimbi bese unamathisele i-XML. Kulogi Yokuphepha, engeza i-akhawunti yomenzeli eqenjini Abafundi Belogi Lomcimbi futhi usethe i-'dd_security_events' ibe phansi noma phezulu iqala ngo-Agent v7.54 ukuze uthumele imicimbi yokuphepha ezenzakalelayo elungele i-Cloud SIEM.
Ukuqinisekiswa kwenziwa kusukela ku- Umphathi we-ejenti noma ngomyalo ongaphansi 'wesimo' ngokubheka isigaba 'win32_event_log'. Uma usebenzisa imithetho yokucutshungulwa kwelogi, hlola ukuthi i-regex yakho ifana nefomethi yangempela (ungayihlola 'ngemibhalo yokusakaza'), futhi uma ungabaza, vala okwesikhashana i-'log_processing_rules' ukuze uhlukanise inkinga.
Izibonelo ezengeziwe kanye nezinsiza
Hlunga amahora angu-24 okugcina ngezindlela ezahlukene, uqokomisa ukuthi izihlungi emthonjeni zisebenza kahle kakhulu kune-How-Object:
# Where-Object (menos eficiente)
$ayer = (Get-Date) - (New-TimeSpan -Day 1)
Get-WinEvent -LogName 'Windows PowerShell' | Where-Object { $_.TimeCreated -ge $ayer }
# FilterHashtable (recomendado)
Get-WinEvent -FilterHashtable @{ LogName='Windows PowerShell'; Level=3; StartTime=$ayer }
# XML estructurado
$xml = @'
<QueryList>
<Query Path='Windows PowerShell'>
<Select Path='System'>*]]</Select>
</Query>
</QueryList>
'@
Get-WinEvent -FilterXml $xml
# XPath directo
$xp = '*]]'
Get-WinEvent -LogName 'Windows PowerShell' -FilterXPath $xpIphethini ephathekayo ye bona izehlakalo ezivamile ukuqoqa nge-Id nomlayezo, okubonisa oku-5 okuphezulu ngokubala Kusistimu yeleveli 2 noma 3:
Get-WinEvent -LogName 'System' -FilterXPath "*]" |
ForEach-Object {
@{ EventID=$_.Id; Message=$_.Message; Count=1 }
} |
Group-Object EventID |
Sort-Object Count -Descending |
Select-Object @{Name='Count';Expression={$_.Count}}, @{Name='Event ID';Expression={$_.Group.EventID}}, @{Name='Message';Expression={$_.Group.Message}} -First 5Uma udinga ukuthekelisa kuphela Izexwayiso namaphutha Yohlelo Lokusebenza kanye Nesistimu, hlunga Ngeleveli bese uthekelisa kufomethi oyifunayo:
# Aviso (3) y Error (2) de Application y System, últimos 2 días, a CSV
$desde = (Get-Date).AddDays(-2)
Get-WinEvent -FilterHashtable @{ LogName=@('Application','System'); Level=@(2,3); StartTime=$desde } |
Select-Object TimeCreated, Id, LevelDisplayName, ProviderName, LogName, Message |
Export-Csv 'C:\\Temp\\avisos_errores.csv' -NoTypeInformation -Encoding UTF8Imikhuba emihle namanothi okugcina
Khumbula lokho Amakhadi asendle asebenza kuphela ku-LogName naku-ProviderName Ku-FilterHashtable, ukhiye ngamunye kufanele uvele kanye kuphela; uma ukhiye ungaziwa, i-Get-WinEvent iyihumusha njengegama ledatha yomcimbi obucayi.
I-Get-WinEvent isekela -MaxEvents ukunquma okukhiphayo futhi -Omdala kunawo wonke ukuhlehlisa i-oda uma kunesidingo. -Indlela isekela amaphethini e-wildcard nezindlela eziningi ezihlukaniswe ngokhefana. -Ubufakazi busebenzisa i-PSCredential; uma uphase igama, uzocelwa ukuthi ufake iphasiwedi ngokuhlanganyela.
Ukuze uthole ukuthi yibaphi abahlinzeki namalogi onentshisekelo kuwo, thembela kuwo -ListLog y -ListProvider. Futhi uma uyodala umbuzo onzima we-XML, yakha isihlungi kuqala ku- Umbukeli womcimbi (Dala Ukubuka Ngokwezifiso/Hlunga Irekhodi Lamanje) bese ukopisha ithebhu ye-XML ukuze uyinamathisele ngqo ku-FilterXml.
I-Mastering FilterHashtable, i amazinga kanye namagama angukhiye, nokwazi umehluko phakathi kwe-Get-EventLog ne-Get-WinEvent, kukuvumela ukuthi uphendule ngokunembile: hlukanisa okubalulekile, amaphutha nezixwayiso, ukusesha ngomthengisi noma i-ID, awufaki umsindo wolwazi futhi ufunde izingodo zokulandelela ezilondoloziwe noma ze-ETW ngaphandle kokujuluka.
Umbhali oshisekayo ngomhlaba wamabhayithi nobuchwepheshe ngokujwayelekile. Ngiyathanda ukwabelana ngolwazi lwami ngokubhala, futhi yilokho engizokwenza kule bhulogi, ngikubonise zonke izinto ezithakazelisayo kakhulu ngamagajethi, isofthiwe, ihadiwe, izitayela zobuchwepheshe, nokuningi. Inhloso yami ukukusiza ukuthi uzulazule emhlabeni wedijithali ngendlela elula nejabulisayo.