问题描述

谁能告诉我为什么下面的选择不起作用?我没有错误.他们什么也没返回.

Would anyone be able to tell my why the selects below don't work? I don't get errors. They just return nothing.

下面的xml是转换为xml的实际事件日志项.我只更改了一些值以确保本文中不会包含私人信息.

The xml below is the actual event log item converted to xml. I only changed a few values to ensure not private info would be in this post.

$Str表示单个事件日志项的输出.即$event.ToXml().

$Str represents output from a single event log item. i.e. $event.ToXml().

$str = @"
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4624</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2014-06-05T12:41:42.490143500Z" />
    <EventRecordID>425650</EventRecordID>
    <Correlation />
    <Execution ProcessID="636" ThreadID="2084" />
    <Channel>Security</Channel>
    <Computer>SERVERHOSTNAME.some.domain.here</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-x-xx</Data>
    <Data Name="TargetUserName">SERVERHOSTNAME$</Data>
    <Data Name="TargetDomainName">TESTDOM</Data>
    <Data Name="TargetLogonId">0x0000000</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">Kerberos</Data>
    <Data Name="AuthenticationPackageName">Kerberos</Data>
    <Data Name="WorkstationName"></Data>
    <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">::1</Data>
    <Data Name="IpPort">0</Data>
  </EventData>
</Event>
"@
[xml]$x = $str

#Why isn't this select working?
$x.SelectNodes("/Event/EventData")

#what I am actually trying to accomplish is selecting the value
#associated to specific attributes, i.e.
$UserSid = $x.SelectSingleNode("/Event/EventData/Data[@name='TargetUserSid']").Value
$UserName = $x.SelectSingleNode("/Event/EventData/Data[@name='TargetUserName']").Value

我只是一个XML专家，不足以理解为什么这些选择不起作用. xml具有命名空间(作为<event/>标记中的属性，并且已正确设置格式.

I am just not enough of an XML guru to understand why these selects are not working. The xml has a namespace (as an attribute in the <event/> tag and is properly formatted.

任何对此的见识将不胜感激.

Any insight into this would be appreciated.

推荐答案

在使用XML时，这是一个经典问题.您的XML具有默认名称空间(xmlns="....").在同一名称空间中定义了名称空间的元素及其所有后代，不带前缀，也没有不同的默认名称空间声明.

This is a classic problem when working with XML; your XML has default namespace (xmlns="...."). The element where the namespace defined and all it's descendants without prefix and without different default namespace declaration considered in the same namespace.

要访问命名空间中的元素，必须声明一个指向命名空间URI的前缀，然后在XPath查询中使用该前缀，例如:

To be able to access elements in a namespace you have to declare a prefix that point to the namespace URI and use that prefix in your XPath query, for example :

.......
$ns = New-Object System.Xml.XmlNamespaceManager($x.NameTable)
$ns.AddNamespace("ns", $x.DocumentElement.NamespaceURI)
$x.SelectNodes("/ns:Event/ns:EventData", $ns)

这篇关于PowerShell事件日志xml xpath选择不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！