您可以查询 event_historical 数据库,以显示错误事件、警告事件和特定的最新事件。
注: 将以下示例中的 dbo.VE_ 前缀替换为事件数据库的相应前缀。
列出错误事件
以下查询显示 event_historical 表中的所有错误事件。
CREATE VIEW error_events AS
(
SELECT ev.EventID, ev.Time, ev.Module, ev.EventType, ev.ModuleAndEventText
FROM dbo.VE_event_historical AS ev
WHERE ev.Severity = ‘ERROR’
);
列出警告事件
以下查询显示 event_historical 表中的所有警告事件。
CREATE VIEW warning_events AS
(
SELECT ev.EventID, ev.Time, ev.Module, ev.EventType, ev.ModuleAndEventText
FROM dbo.VE_event_historical AS ev
WHERE ev.Severity = ‘WARNING’
);
列出最新事件
以下查询列出与域 MYDOM 中用户 fred 关联的所有最新事件。
CREATE VIEW user_fred_events AS
(
SELECT ev.EventID, ev.Time, ev.Module, ev.EventType, ev.Severity, ev.Acknowledged
FROM dbo.VE_event_historical AS ev,
dbo.VE_event_data_historical AS ed
WHERE ev.EventID = ed.EventID AND ed.Name = 'UserDisplayName' AND ed.StrValue =
‘MYDOM\fred’
);
以下查询列出计算机上的代理关闭的所有最新事件。
CREATE VIEW agent_shutdown_events AS
(
SELECT ev.EventID, ev.Time, ed.StrValue
FROM dbo.VE_event_historical AS ev,
dbo.VE_event_data_historical AS ed
WHERE ev.EventID = ed.EventID AND ev.EventType = ‘AGENT_SHUTDOWN’ AND
ed.Name = ‘MachineName’
);
以下查询列出因桌面池为空而导致桌面启动失败的所有最新事件。
CREATE VIEW desktop_launch_failure_events AS
(
SELECT ev.EventID, ev.Time, ed1.StrValue, ed2.StrValue
FROM dbo.VE_event_historical AS ev,
dbo.VE_event_data_historical AS ed1,
dbo.VE_event_data_historical AS ed2
WHERE ev.EventID = ed1.EventID AND ev.EventID = ed2.EventID AND
ev.EventType = ‘BROKER_POOL_EMPTY’ AND
ed1.Name = ‘UserDisplayName’ AND ed2.Name = ‘DesktopId’
);
以下查询列出管理员移除了桌面池的所有最新事件。
CREATE VIEW desktop_pool_removed_events AS
(
SELECT ev.EventID, ev.Time, ed1.StrValue, ed2.StrValue
FROM dbo.VE_event_historical AS ev,
dbo.VE_event_data_historical AS ed1,
dbo.VE_event_data_historical AS ed2
WHERE ev.EventID = ed1.EventID AND ev.EventID = ed2.EventID AND
ev.EventType = ‘ADMIN_DESKTOP_REMOVED’ AND
ed1.Name = ‘UserDisplayName’ AND ed2.Name = ‘DesktopId’
);
