Ezine 173 - PowerShell for Event Viewer
Ezine 173 - PowerShell for Event Viewer
In this week's ezine I will show you how to employ PowerShell to extract
information from the operating system's event logs.
♣
One of the hidden benefits of learning any scripting language is that you
gain better understanding of the operating system. PowerShell encourages you to look in
the event logs, something you many not have done for a while. One
reason why you may not pay as much attention to the Event logs as you should
is their sheer volume of entries. The benefit of using PowerShell is
that it's easier to create custom filters. For examples, scripts which
list not just errors, but disk errors.
This week I want to show you how PowerShell can filter
information from the event logs. The more that I use PowerShell to
interrogate the logs, the more ideas I get for checks on the operating
system. And to complete this virtuous loop, the more I put these ideas into action, the more I learn
about PowerShell. My point is that while I will give you examples to
get you started, it is my fervent wish that you will modify my examples to
extract useful information about your operating system.
But let us start by enumerating the event
logs. Make a guess, how many event logs are there on your computer?
3? 4? Let us see .....
If you remember last week I recommended five help strategies to enhance
your PowerShell experience, to help us achieve This Week's Mission I would like to
utilize the
technique:
get-help verb-Noun* -full
* Where verb-Noun is get-EventLog
Preparation - Overview
Overview
I am assuming that you have installed PowerShell, and you are sitting at
the PowerShell prompt. If necessary, downloaded the appropriate version of PowerShell and
.Net Framework
from Microsoft's site. What would help your understanding, and the
success of my examples is if you look for ways to modify my scripts to suit
your computer.
Detailed instructions
For detailed instruction on getting PowerShell up and running
see a previous ezine.
# PowerShell script to research
get-EventLog
# Author: Guy Thomas
# Version 1.0 September 2008 tested on PowerShell v 1.0
get-Help get-EventLog -full
Learning Points
Note 1: Close inspection reveals that get-EventLog
has two parallel purposes. If we choose the -list parameter, then we can
enumerate all logs on the computer. However, if we choose the -logfile
parameter then we can open up a whole world of options to interrogate and
filter the event logs.
Note 2: I have a message for you. Whenever
you call for the get-Help command always append -full, moreover, always pay
close attention to the examples that PowerShell's help supply when you add the -full parameter.
By introducing variables,
I feel as though I am starting our PowerShell 'car' in second gear.
First gear would have been plain: get-Eventlog -list
# PowerShell script to list the
EventLogs
# Author: Guy Thomas
# Version 1.1 September 2008 tested on PowerShell v 1.0
$Log = get-EventLog -list
$Log; "There are " + $Log.count + "
event logs"
Learning Points
Note 1: I could not resist introducing a variable
called $Log so that we
can count the logs more easily. Trace the effect of the semi-colon after $Log on
the last line.
Note 2: Observe how easily PowerShell handles a
mixture of text and numbers. All we need is the ubiquitous plus sign (+).
# PowerShell script to display the
last 50 events
# Author: Guy Thomas
# Version 1.2 September 2008 tested on PowerShell v 1.0
clear-host
$LogSys = get-EventLog -logname system -newest 50
$LogSys | format-Table EventID, Source -auto
Learning Points
Note 1: The crucial parameter in this script is -logname,
I have chosen a value of 'System', however, you could substitute any of the log
names indentified by the script in example 1.
Note 2: Format-Table not only displays the output
in tabular form, but also allows us to select which properties to display,
in this case just EventID and Source.
Note 3: Unearthing the -newest parameter is
another triumph for taking the preliminary and researching with: help get-Eventlog command.
Guy Recommends: Solarwinds' Log & Event Management Tool
LEM will alert you to problems such as when a key
application on a particular server is unavailable. It can also
detect when services have stopped, or if there is a
network latency problem. Perhaps this log and event management
tool's most interesting ability is to take corrective action, for
example by
restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people
use LEM is for its
compliance capability, with a little help from you, it will ensure that your organization complies with industry
standards such as CISP or FERPA. LEM is a really smart
application that can make correlations between data in different logs,
then use its built-in logic to take corrective action, to restart services,
or thwart potential security breaches.
Download your FREE
trial of Solarwinds Log & Event Management tool.
Here is a script which crosses the divide from just playing, through to doing some
useful work. The idea is to list all errors in the system log.
It would make my day if you made adjustments to suit your circumstances.
For instance, you could experiment with other values for -newest.
# PowerShell script to find
errors in the system event log
# Author: Guy Thomas
# Version 1.3 September 2008 tested on PowerShell v 1.0
clear-Host
$LogSys = get-EventLog -logname system -newest 20000
$LogSys | where {$_.entryType -match "Error"} | group
eventID
Learning Points
Note 1: The new development in this script is the
'Where' clause. This is a common technique to filter the results, in this
example 'where' just matches errors in the system event log. There are two important
features of the where clause, firstly, $_. meaning this pipeline. And
secondly the comparitor -match. Alternative comparisons would be -like, or
even -eq.
Note 2: I have employed two pipes (|) to achieve
the desired
grouping of the results. The key feature of pipelining is that the output
of the first clause, $LogSys, becomes the input of the 'where' clause.
Note 3: Many of my example scripts begin with
clear-Host, I just use this in testing when I want to avoid confusion from
the results of previous versions of my script.
This example is a double-edged sword. On its own example 4 is probably
useless to you. However, if you research the eventID of a persistent
error on your computer, the example transforms into a useful tool. My problem is
that I don't know what number eventID that would be on your machine, hence
you need some preliminary research to discover your problem eventID number.
Then substitute your number for 11 in my variable $Number.
# PowerShell script to filter
specific eventID errors
# Author: Guy Thomas
# Version 1.3 September 2008 tested on PowerShell v 1.0
$Number = 11
$LogSys = get-EventLog -logname system -newest
20000
$LogSys | where {$_.entryType -match "Error" -and $_.eventID
-eq $Number}
Learning Points
Note 1: From the pure PowerShell perspective, this
script is of interest because I have introduced logical '-and', which makes the
filter more precise.
Note 2: We could improve the readability by
appending the pipeline symbol followed by:
| format-table
TimeGenerated, eventid, message -auto
PowerShell version 1.0 is not good with remote computing.
get-EventLog is particularly useless and does NOT support the -computerName
parameter. Fortunately, there is a work-around using trusty new-Object
with System.Diagnostics.Eventlog. Naturally, you need to tweak the
value for the $Server variable.
# PowerShell script to
interrogate event logs on a REMOTE computer
# Author: Guy Thomas
# Version 1.3
October 2008 tested on PowerShell v 1.0
$Log = "System"
$Server = "YourServer"
$Evtlog = new-Object
System.Diagnostics.Eventlog($Log,$Server)
$Evtlog.Entries | select
-first 10
Learning Points
Note 1: The key to this script is new-Object.
I recommend that you investigate more capabilities with the two classic
PowerShell commands:
help new-Object
new-Object System.Diagnostics.Eventlog | get-Member
If you are looking for handy network utilities, try some of the free downloads at
Tools4Ever
Summary of PowerShell for Event Viewer
In our hearts, we know that we should be looking at the event logs
more frequently. We also know that when we see those red dots in the logs,
we should take action to correct the corresponding error message.
Thus we have a task for PowerShell; in fact, we have a marriage made in
heaven. PowerShell will help us review the system, application and
other logs, while the event logs themselves will act as a vehicle for
learning more about PowerShell's benefits, capabilities and syntax.
If you like this page then please share it with your friends
See more PowerShell examples to read, write and list Windows event logs
• PowerShell Home •
Get-Eventlog •
EventVwr -list •
Get-WinEvent •
Remote Eventlog
•
WMI Win32_NTLogEvent
• Windows 8 Event Viewer •
Windows 8 Security Event Log
• PowerShell real-life task •
Write-Eventlog •
EventVwr errors •
Diagnostics •
Error examples
Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.
Download my ebook:
Getting Started with PowerShell - only $9.25
You get 36 topics organized into these 3 sections:
1) Getting Started
2) Real-life tasks
3) Examples of Syntax.
In addition to the ebook, you get a PDF version of this Introduction to PowerShell ebook It runs to 120
pages of A4.
|
