PowerShell Ezine, Logon Scripts

Guy recommends :
Free - WMI Monitor

WMI Monitor

Guy's Review of
Computer Utilities

1) FreePing
2) LanSurveyor
3) Xobni
4) PuTTY (UNIX)
5) WMI Monitor
6) BgInfo
7) Net-SNMP
8) Engineer's Toolset
9) DNS Stuff
10) WinDiff

Short computer jokes

Ezine 173 - PowerShell for Event Viewer

Ezine 173 - PowerShell for Event Viewer

In this week's ezine I will show you how to employ PowerShell to extract information from the operating system's event logs.

 ♣

This Week's Secret

One of the hidden benefits of learning any scripting language is that you gain better understanding of the operating system.  PowerShell encourages you to look in the event logs, something you many not have done for a while.  One reason why you may not pay as much attention to the Event logs as you should is their sheer volume of entries.  The benefit of using PowerShell is that it's easier to create custom filters.  For examples, scripts which list not just errors, but disk errors.

This Week's Mission - To Interrogate the Event Logs

This week I want to show you how PowerShell can filter information from the event logs.  The more that I use PowerShell to interrogate the logs, the more ideas I get for checks on the operating system.  And to complete this virtuous loop, the more I put these ideas into action, the more I learn about PowerShell.  My point is that while I will give you examples to get you started, it is my fervent wish that you will modify my examples to extract useful information about your operating system.

But let us start by enumerating the event logs.  Make a guess, how many event logs are there on your computer?  3? 4?  Let us see .....

If you remember last week I recommended five help strategies to enhance your PowerShell experience, to help us achieve This Week's Mission I would like to utilize the technique:
get-help verb-Noun* -full

* Where verb-Noun is get-EventLog

Preparation - Overview

Overview
I am assuming that you have installed PowerShell, and you are sitting at the PowerShell prompt.  If necessary, downloaded the appropriate version of PowerShell and .Net Framework from Microsoft's site.  What would help your understanding, and the success of my examples is if you look for ways to modify my scripts to suit your computer.

Detailed instructions
For detailed instruction on getting PowerShell up and running see a previous ezine.

Preliminary Example: Help get-EventLog -full

# PowerShell script to research get-EventLog
# Author: Guy Thomas
# Version 1.0 September 2008 tested on PowerShell v 1.0

get-Help get-EventLog -full

Learning Points

Note 1:  Close inspection reveals that get-EventLog has two parallel purposes.  If we choose the -list parameter, then we can enumerate all logs on the computer.  However, if we choose the -logfile parameter then we can open up a whole world of options to interrogate and filter the event logs.

Note 2:  I have a message for you.  Whenever you call for the get-Help command always append -full, moreover, always pay close attention to the examples that PowerShell's help supply when you add the -full parameter.

Example 1: get-EventLog -list

By introducing variables, I feel as though I am starting our PowerShell 'car' in second gear.  First gear would have been plain:  get-Eventlog -list

# PowerShell script to list the EventLogs
# Author: Guy Thomas
# Version 1.1 September 2008 tested on PowerShell v 1.0

$Log = get-EventLog -list
$Log; "There are " + $Log.count + " event logs"

Learning Points

Note 1:  I could not resist introducing a variable called $Log so that we can count the logs more easily.  Trace the effect of the semi-colon after $Log on the last line.

Note 2:  Observe how easily PowerShell handles a mixture of text and numbers.  All we need is the ubiquitous plus sign (+).

Example 2: Listing EventLog Items

# PowerShell script to display the last 50 events
# Author: Guy Thomas
# Version 1.2 September 2008 tested on PowerShell v 1.0

clear-host
$LogSys = get-EventLog -logname system -newest 50
$LogSys | format-Table EventID, Source -auto

Learning Points

Note 1:  The crucial parameter in this script is -logname, I have chosen a value of 'System', however, you could substitute any of the log names indentified by the script in example 1.

Note 2:  Format-Table not only displays the output in tabular form, but also allows us to select which properties to display, in this case just EventID and Source.

Note 3:  Unearthing the -newest parameter is another triumph for taking the preliminary and researching with: help get-Eventlog command.

Example 3: Finding the 'Errors' in the System EventLog

Here is a script which crosses the divide from just playing, through to doing some useful work.  The idea is to list all errors in the system log.  It would make my day if you made adjustments to suit your circumstances.  For instance, you could experiment with other values for -newest.

# PowerShell script to find errors in the system event log
# Author: Guy Thomas
# Version 1.3 September 2008 tested on PowerShell v 1.0

clear-Host
$LogSys = get-EventLog -logname system -newest 20000
$LogSys | where {$_.entryType -match "Error"} | group eventID

Learning Points

Note 1:  The new development in this script is the 'Where' clause.  This is a common technique to filter the results, in this example 'where' just matches errors in the system event log.  There are two important features of the where clause, firstly, $_. meaning this pipeline.  And secondly the comparitor -match.  Alternative comparisons would be -like, or even -eq.

Note 2:  I have employed two pipes (|) to achieve the desired grouping of the results.  The key feature of pipelining is that the output of the first clause, $LogSys, becomes the input of the 'where' clause.

Note 3:  Many of my example scripts begin with clear-Host, I just use this in testing when I want to avoid confusion from the results of previous versions of my script.

Example 4: Filtering a Specific EventID

This example is a double-edged sword.  On its own example 4 is probably useless to you.  However, if you research the eventID of a persistent error on your computer, the example transforms into a useful tool.  My problem is that I don't know what number eventID that would be on your machine, hence you need some preliminary research to discover your problem eventID number.  Then substitute your number for 11 in my variable $Number.

# PowerShell script to filter specific eventID errors
# Author: Guy Thomas
# Version 1.3 September 2008 tested on PowerShell v 1.0

$Number = 11
$LogSys = get-EventLog -logname system -newest 20000
$LogSys | where {$_.entryType -match "Error" -and $_.eventID -eq $Number}

Learning Points

Note 1:  From the pure PowerShell perspective, this script is of interest because I have introduced logical '-and', which makes the filter more precise.

Note 2:  We could improve the readability by appending the pipeline symbol followed by:
 | format-table TimeGenerated, eventid, message -auto

Example 5: Remote Event logs

PowerShell version 1.0 is not good with remote computing.  get-EventLog is particularly useless and does NOT support the -computerName parameter.  Fortunately, there is a work-around using trusty new-Object with System.Diagnostics.Eventlog.  Naturally, you need to tweak the value for the $Server variable.

# PowerShell script to interrogate event logs on a REMOTE computer
# Author: Guy Thomas
# Version 1.3 October 2008 tested on PowerShell v 1.0

$Log = "System"
$Server = "YourServer"
$Evtlog = new-Object System.Diagnostics.Eventlog($Log,$Server)
$Evtlog.Entries | select -first 10

Learning Points

Note 1:  The key to this script is new-Object.  I recommend that you investigate more capabilities with the two classic PowerShell commands:

help new-Object

new-Object System.Diagnostics.Eventlog | get-Member

If you are looking for handy network utilities, try some of the free downloads at Tools4Ever

Summary of PowerShell for Event Viewer

In our hearts, we know that we should be looking at the event logs more frequently.  We also know that when we see those red dots in the logs, we should take action to correct the corresponding error message.

Thus we have a task for PowerShell; in fact, we have a marriage made in heaven.  PowerShell will help us review the system, application and other logs, while the event logs themselves will act as a vehicle for learning more about PowerShell's benefits, capabilities and syntax.

See more PowerShell examples to read, write and list Windows event logs

PowerShell Home   • EventVwr -list   • Get-Eventlog   • Get-WinEvent   • Remote Eventlog

PowerShell real-life task   • Error examples   • EventVwr errors   • Diagnostics   • Write-Eventlog

Please write in if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.

Download my ebook:Getting Started with PowerShell
Getting Started with PowerShell - only $9.25

You get 36 topics organized into these 3 sections:
   1) Getting Started
   2) Real-life tasks
   3) Examples of Syntax.

In addition to the ebook, you get a PDF version of this  Introduction to PowerShell ebook  It runs to 120 pages of A4.

 *

Google

Web  This website

Guy Recommends: SolarWinds Engineer's Toolset v10Engineer's Toolset v10

The Engineer's Toolset v10 provides a comprehensive console of utilities for troubleshooting computer problems.

There are so many good gadgets, it's like having free rein of a sweetshop. Thankfully the utilities are displayed logically: monitoring, discovery, diagnostic, and Cisco tools.  Download your copy of the Engineer's Toolset v 10

 

Home Copyright © 1999-2010 Computer Performance LTD All rights reserved.

Please report a broken link, or an error.