我正在寻找有关如何通过使用脚本在多个服务器上保存和清除事件日志的想法.
曾经有一个名为“Eventlog.pl”的Windows Server 2000工具可以远程保存和清除事件日志.我没有在Windows Server 2003中找到任何这样的功能,除非我遗漏了一些明显的东西.我还能怎么做呢?
我在带有域的Windows Server 2003上.
你可以使用一个SysInternals工具,现在叫做
PSLogList.
这将取代Windows 2K中的EventLog.pl.
这将取代Windows 2K中的EventLog.pl.
您需要使用-c选项在命令后清除日志,使用-g指定文件. (出于某些奇怪的原因-g不在使用帮助中).
usage: psloglist [- ] [\\computer[,computer[,...] | @file [-u username [-p password]]] [-s [-t delimiter]] [-m #|-n #|-h #|-d #|-w][-c][-x][-r][-a mm/dd/yy][-b mm/dd/yy][-f filter] [-i ID[,ID[,...] | -e ID[,...]]] [-o event source[,event source][,..]]] [-q event source[,..]]] [-l event log file] <eventlog> @file Execute the command on each of the computers listed in the file. -a Dump records timestamped after specified date. -b Dump records timestamped before specified date. -c Clear the event log after displaying. -d Only display records from prevIoUs n days. -c Clear the event log after displaying. -e Exclude events with the specified ID or IDs (up to 10). -f Filter event types with filter string (e.g. "-f w" to filter warnings). -h Only display records from prevIoUs n hours. -i Show only events with the specified ID or IDs (up to 10). -l Dump records from the specified event log file. -m Only display records from prevIoUs n minutes. -n Only display the number of most recent entries specified. -o Show only records from the specified event source (e.g. \"-o cdrom\"). -p Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password. -q Omit records from the specified event source or sources (e.g. \"-q cdrom\"). -r SDump log from least recent to most recent. -s This switch has PsLogList print Event Log records one-per-line,with comma delimited fields. This format is convenient for text searches,e.g. psloglist | findstr /i text,and for importing the output into a spreadsheet. -t The default delimeter is a comma,but can be overriden with the specified character. -u Specifies optional user name for login to remote computer. -w Wait for new events,dumping them as they generate (local system only). -x Dump extended data eventlog eventlog
如果你在命令后可以远程执行,你需要这样的东西:
psexec \\servername -c psloglist.exe -c -g application.evt application