返回使用PowerShell和Windows事件查看器从当服务被停止，并开始

如果我们考察一下当地的Windows Server系统事件查看器，我可以看到我重新启动该服务的Apache Tomcat用户名..返回使用PowerShell和Windows事件查看器从当服务被停止，并开始

然而，我有一个每天运行的报告，显示没有任何用户。而且，我们想要的是显示“系统”或“域\用户”或“用户”将罚款。

$time = [System.Management.ManagementDateTImeConverter]::ToDmtfDateTime((Get-Date).AddHours(-24)) 
    $TomcatEvents =  Get-WmiObject Win32_NTLogEvent -ComputerName $servern -Filter "LogFile='system' AND (Message like '%Tomcat%') AND (EventCode=7036) AND (TimeWritten >= '$time')" | 
    select @{n="Server";e={$servern}},Logfile,Type,User,@{name='TimeWritten';Expression={$_.ConvertToDateTime($_.TimeWritten)}},SourceName,Message,EventCode | sort-object TimeWritten -desc 

我也曾尝试以下操作：

$time = (Get-Date).AddHours(-24) 
Get-eventlog -computername SERVER_NAME -logname System | Where-Object { $_.EventID -eq 7036 -and $_.TimeGenerated -gt $time -and $_.EntryType -eq 'Information' -and $_.Source -eq "Service Control Manager" -and $_.Message -Like '*Tomcat*' } | 
select TimeGenerated,MachineName,EventID,@{n='Account Name';e={$_.ReplacementStrings[-7]}},@{n='Domain Name';e={$_.ReplacementStrings[5]}},@{n='Caller Computer Name';e={$_.ReplacementStrings[1]}},EntryType,Message | 
convertto-html | out-file c:\test.html 

不工作，要么..让我们看看替换字符串是如何显示...

Get-EventLog -LogName System -EntryType Information -Newest 10 | Where-Object { $_.EventID -eq 7036 } | 
    Select-Object -Property * | 
    ForEach-Object { 
    $_.ReplacementStrings = $_.ReplacementStrings -join ',' 
    $_.Data = $_.Data -join ',' 
    $_  
    } 

替换字符串如下所示：

EventID   : 7036 
MachineName  : SERVER_NAME 
Data    : 
Index    : 207410 
Category   : (0) 
CategoryNumber  : 0 
EntryType   : Information 
Message   : The Apache Tomcat 6 service entered the running state. 
Source    : Service Control Manager 
ReplacementStrings : Apache Tomcat 6,running 
InstanceId   : 1073748860 
TimeGenerated  : 11/21/2014 8:08:48 AM 
TimeWritten  : 11/21/2014 8:08:48 AM 
UserName   : 
Site    : 
Container   :