ybaidukuai 发表于 2018-9-1 12:17:02

MSSQL/WMI/PowerShell结合篇(二)创建WMI监控

  文中所介绍的监控类型的WMI消费者主要为CommandLineEventConsumer、LogFileEventConsumer
  详细介绍参阅以下链接:
  CommandLineEventConsumer
  LogFileEventConsumer
  下面以PowerShell脚本为例,介绍如何创建WMI事件监控
  一、LogFileEventConsumer示例
  1、创建EventFilter,对需要监控的事件进行过滤
  ${EventNamespace} = "the event namespace which is to be monitored"
  ${QueryLanguage} = 'WQL'
  ${Namespace}="root\subscription"
  ${ComputerName}="."
  ${Query}= "WQL Query Statement";
  ${Name}="EventFilter Name"
  ${NewFilter} = ("\\${ComputerName}\${Namespace}:__EventFilter").CreateInstance()
  ${NewFilter}.{QueryLanguage} = ${QueryLanguage}
  ${NewFilter}.{Query} = ${Query}
  ${NewFilter}.{EventNamespace} = ${EventNamespace}
  ${NewFilter}.{Name} = ${Name}
  $result = $NewFilter.Put()
  2、创建Consumer,触发相应的动作
  ${Text} ='the text which is to be logged'
  ${FileName}="FileName"
  ${IsUnicode}="true"
  ${ComputerName}="."
  ${Name}="EventConsumer Name";
  ${NewConsumer} = ("\\${ComputerName}\root\subscription:LogFileEventConsumer").CreateInstance()
  ${NewConsumer}.{Name} = ${Name}
  ${NewConsumer}.{FileName} = ${FileName}
  ${NewConsumer}.{IsUnicode} = ${IsUnicode}
  ${NewConsumer}.{Text} = ${Text}
  $NewConsumer.Put()
  3、创建Binding,绑定EventFilter、Cousumer,使得事件被捕获时立即触发动作
  ${Namespace}="root\subscription"
  ${ComputerName}="."
  ${NewBinding} = ("\\${ComputerName}\${Namespace}:__FilterToConsumerBinding").CreateInstance()
  ${NewBinding}.Filter = "\\${ComputerName}\ROOT\Subscription:__EventFilter.Name=`"EventFilter Name`""
  ${NewBinding}.{Consumer} ="\\${ComputerName}\ROOT\Subscription:LogFileEventConsumer.Name=`"EventConsumer Name`""
  ${NewBinding}.{MaintainSecurityContext} = ${FALSE}
  ${NewBinding}.{SlowDownProviders} = ${FALSE}
  $NewBinding.Put()
  二、CommandLineEventConsumer示例
  1、创建EventFilter,对需要监控的事件进行过滤
  ${EventNamespace} = "the event namespace which is to be monitored"
  ${QueryLanguage} = 'WQL'
  ${Namespace}="root\subscription"
  ${ComputerName}="."
  ${Query}= "WQL Query Statement";
  ${Name}="EventFilter Name"
  ${NewFilter} = ("\\${ComputerName}\${Namespace}:__EventFilter").CreateInstance()
  ${NewFilter}.{QueryLanguage} = ${QueryLanguage}
  ${NewFilter}.{Query} = ${Query}
  ${NewFilter}.{EventNamespace} = ${EventNamespace}
  ${NewFilter}.{Name} = ${Name}
  $result = $NewFilter.Put()
  2、创建Consumer,触发相应的动作(以执行PowerShell命令行为例)
  ${Namespace}="root\subscription"
  ${ComputerName}="."
  ${Name}="EventConsumer Name";
  $ExecutablePath="c:\xxx\xxx\powershell.exe"
  $CommandLineTemplate="powershell.exe -File D:\xxx\xxx.ps1"
  ${NewConsumer} = ("\\${ComputerName}\${Namespace}:CommandLineEventConsumer").CreateInstance()
  ${NewConsumer}.{CommandLineTemplate} = ${CommandLineTemplate}
  ${NewConsumer}.{ExecutablePath} = ${ExecutablePath}
  ${NewConsumer}.{name}=${Name}
  $NewConsumer.Put()
  3、创建Binding,绑定EventFilter、Cousumer,使得事件被捕获时立即触发动作
  ${Namespace}="root\subscription"
  ${ComputerName}="."
  ${NewBinding} = ("\\${ComputerName}\${Namespace}:__FilterToConsumerBinding").CreateInstance()
  ${NewBinding}.Filter = "\\${ComputerName}\ROOT\Subscription:__EventFilter.Name=`"EventFilter Name`""
  ${NewBinding}.{Consumer} ="\\${ComputerName}\ROOT\Subscription:CommandLineEventConsumer.Name=`"EventConsumer Name`""
  ${NewBinding}.{MaintainSecurityContext} = ${FALSE}
  ${NewBinding}.{SlowDownProviders} = ${FALSE}
  $NewBinding.Put()

页: [1]
查看完整版本: MSSQL/WMI/PowerShell结合篇(二)创建WMI监控