MSSQL/WMI/PowerShell结合篇（二）创建WMI监控

最新推荐文章于 2024-04-08 15:29:42 发布

Cloud Service_YI

最新推荐文章于 2024-04-08 15:29:42 发布

阅读量178

点赞数

原文链接：https://www.gzhou.cn/thread-100234-1-1.html

版权

文中所介绍的监控类型的WMI消费者主要为CommandLineEventConsumer、

LogFileEventConsumer

详细介绍参阅以下链接：
CommandLineEventConsumer
LogFileEventConsumer

下面以PowerShell脚本为例，介绍如何创建WMI事件监控

一、LogFileEventConsumer示例
1、创建EventFilter，对需要监控的事件进行过滤
${EventNamespace} = "the event namespace which is to be monitored"
${QueryLanguage} = 'WQL'
${Namespace}="root\subscription"
${ComputerName}="."
${Query}= "WQL Query Statement";
${Name}="EventFilter Name"
${NewFilter} = ([wmiclass]"\\${ComputerName}\${Namespace}:__EventFilter").CreateInstance()
${NewFilter}.{QueryLanguage} = ${QueryLanguage}
${NewFilter}.{Query} = ${Query}
${NewFilter}.{EventNamespace} = ${EventNamespace}
${NewFilter}.{Name} = ${Name}
$result = $NewFilter.Put()
2、创建Consumer，触发相应的动作
${Text} ='the text which is to be logged'
${FileName}="FileName"
${IsUnicode}="true"
${ComputerName}="."
${Name}="EventConsumer Name";
${NewConsumer} = ([wmiclass]"\\${ComputerName}\root\subscription:LogFileEventConsumer").CreateInstance()
${NewConsumer}.{Name} = ${Name}
${NewConsumer}.{FileName} = ${FileName}
${NewConsumer}.{IsUnicode} = ${IsUnicode}
${NewConsumer}.{Text} = ${Text}
$NewConsumer.Put()
3、创建Binding，绑定EventFilter、Cousumer，使得事件被捕获时立即触发动作
${Namespace}="root\subscription"
${ComputerName}="."
${NewBinding} = ([wmiclass]"\\${ComputerName}\${Namespace}:__FilterToConsumerBinding").CreateInstance()
${NewBinding}.Filter = "\\${ComputerName}\ROOT\Subscription:__EventFilter.Name=`"EventFilter Name`""
${NewBinding}.{Consumer} ="\\${ComputerName}\ROOT\Subscription:LogFileEventConsumer.Name=`"EventConsumer Name`""
${NewBinding}.{MaintainSecurityContext} = ${FALSE}
${NewBinding}.{SlowDownProviders} = ${FALSE}
$NewBinding.Put()
二、CommandLineEventConsumer示例
1、创建EventFilter，对需要监控的事件进行过滤
${EventNamespace} = "the event namespace which is to be monitored"
${QueryLanguage} = 'WQL'
${Namespace}="root\subscription"
${ComputerName}="."
${Query}= "WQL Query Statement";
${Name}="EventFilter Name"
${NewFilter} = ([wmiclass]"\\${ComputerName}\${Namespace}:__EventFilter").CreateInstance()
${NewFilter}.{QueryLanguage} = ${QueryLanguage}
${NewFilter}.{Query} = ${Query}
${NewFilter}.{EventNamespace} = ${EventNamespace}
${NewFilter}.{Name} = ${Name}
$result = $NewFilter.Put()
2、创建Consumer，触发相应的动作(以执行PowerShell命令行为例)
${Namespace}="root\subscription"
${ComputerName}="."
${Name}="EventConsumer Name";
$ExecutablePath="c:\xxx\xxx\powershell.exe"
$CommandLineTemplate="powershell.exe -File D:\xxx\xxx.ps1"
${NewConsumer} = ([wmiclass]"\\${ComputerName}\${Namespace}:CommandLineEventConsumer").CreateInstance()
${NewConsumer}.{CommandLineTemplate} = ${CommandLineTemplate}
${NewConsumer}.{ExecutablePath} = ${ExecutablePath}
${NewConsumer}.{name}=${Name}
$NewConsumer.Put()
3、创建Binding，绑定EventFilter、Cousumer，使得事件被捕获时立即触发动作
${Namespace}="root\subscription"
${ComputerName}="."
${NewBinding} = ([wmiclass]"\\${ComputerName}\${Namespace}:__FilterToConsumerBinding").CreateInstance()
${NewBinding}.Filter = "\\${ComputerName}\ROOT\Subscription:__EventFilter.Name=`"EventFilter Name`""
${NewBinding}.{Consumer} ="\\${ComputerName}\ROOT\Subscription:CommandLineEventConsumer.Name=`"EventConsumer Name`""
${NewBinding}.{MaintainSecurityContext} = ${FALSE}
${NewBinding}.{SlowDownProviders} = ${FALSE}
$NewBinding.Put()

SD-WAN是介于虚拟专用网与MPLS之间的新推出的一种产品，它的效果比MPLS稍差，但比虚拟专用网好很多，最重要的是他的价格比起MPLS来说，价格十分亲民，另外如果两个需要专线联通的分支机构之家的距离越远，其效果比MPLS相差越小，所以SD-WAN出现以来，大大减少了企业的成本，越来越受到企业的青睐。