Introduction to Scripting Eventlog with PowerShell
Let
us begin by taking stock of the operating system's event logs. In our hearts, we know that we should be looking at these logs more often. We also know that when we see those red dots in the
logs, we should take action to correct the corresponding error message.
Thus we have a task for PowerShell; in fact, we have a marriage made in heaven. PowerShell will help us review the system, application and other logs, while the eventlogs
themselves will act as a vehicle for learning more about PowerShell's
benefits, capabilities and syntax.
Pre-requisite: Visit Microsoft's site and download the correct version of PowerShell for your operating system.
Here are instructions for executing the PowerShell code from the command line.
Launch Windows PowerShell
Copy all the lines of code into memory (For instance, from the Example below)
Right-click on the PowerShell symbol
Edit --> Paste
Check the menus on screenshot to the right
Press 'Enter' to execute the pasted code
Our first task is to discover how many different logs there are on your machine. Therefore, to discover if your computer has 3, 6, or more
logs, append the -list parameter to the get-Eventlog command:
# PowerShell script to list the event logs. get-Eventlog -list
Learning Points
Note 1: You may have guessed that the hash # symbol is PowerShell's way of introducing a
comment.
Note2:
-list is correct, please note that you do need that dash.
Action Point: Launch the Event Viewer, visit the actual logs and adjust the 'Retain' time and the Overflow action.
# PowerShell script to find Error messages in the System eventlog. get-EventLog system -newest 2000 | where {$_.entryType -match "Error"}
Learning Points
I realize that most people will just copy and paste my script, but for those want to look behind the script, or those who get stuck, I provide 'Learning Points'. My
greatest joy is if you would experiment with my code, for example, change 2000 to 10000; or more adventurously, change get-Eventlog system to get-Eventlog application.
Note 1: You could simplify the script further and just type: get-EventLog system
Note 2: Each
word, and indeed every symbol, has deep meaning to PowerShell. (|)
pipes the output of the first clause into the 'Where' statement. As a result the output is filtered so that you see only error messages, and not information or warning messages.
Note 3:
PowerShell supports a whole family of conditional statements, for example, -like, -contains, or even plain -eq (Equals), but for this job, I chose
-match.
Guy Recommends: SolarWinds Engineer's Toolset v10
The Engineer's Toolset v10 provides a
comprehensive console of utilities for troubleshooting computer problems. Guy says
it helps me monitor what's occurring on the network, and the tools
teaches me more about how the system literally operates.
There are so many good gadgets, it's like having free rein of a
sweetshop. Thankfully the utilities are displayed logically: monitoring, discovery, diagnostic, and Cisco tools.
Download your copy of the Engineer's Toolset v 10
Whenever you discover a new
PowerShell command, it benefits from being surveyed with what I call the 'Trusty Twosome'. In this instance, if you research a verb-noun command with get-Help and get-Member, then you are sure to unearth new scripting possibilities.
To see what I mean, apply these two commands to get-Eventlog:
1) get-Help get-Eventlog If you want to see examples of the get-Eventlog in action try: help eventlog -full
Get-Help displays useful parameters such as: -list, -logname, and -newest.
Indeed, the first thing to remember about get-Eventlog is that it needs the name of the log, for example: get-Eventlog system. Remember that PowerShell is looking for a positional argument, thus 'system' is the name of the log and is
an argument, and not a parameter.
To determine this difference, PowerShell expects a parameter to be introduced with a -dash, whereas an argument is preceded by only a space.
Other names of logs that you can substitute for 'system' are: Application, Security and even PowerShell itself
has a log. Windows Server 2003 is
likely to have yet more
logs, for example, Directory Service and DNS Server.
2) get-Eventlog system |get-Member -MemberType property If you wish to filter gm try: get-Eventlog system | gm -Membertype property.
The above command reveals a list of properties that you can
then use in the output, for example, category and source.
This example produces a very similar result to Example 1 above. The whole point of the extra code is to give us more control over the output.
There are numerous ways that you could achieve the same list of events; indeed, many of them are technically superior to mine. However, while we are in learning mode, as opposed to production mode, I feel strongly that this script should demonstrate useful PowerShell features
such as: $Variables, pipeline, format-Table and the tiny ` backtick.
# Cmdlet to find latest 2000 errors in the System eventlog $SysEvent = get-EventLog -logname system -newest 2000 $SysError = $SysEvent |where {$_.entryType -match "Error"} $SysError | sort eventid | ` Format-Table EventID, Source, TimeWritten,
Message -auto
Learning Points
Note 1: Guy loves variables. In PowerShell you just declare variables with a $dollar sign. There is nothing else you need to do!
Note 2: The first example employed one pipeline (|), whereas this script has three (|)s. This technique of using the output of the first clause as the input of the second clause, is a
characteristic benefit of PowerShell.
Challenge 1: I chose to sequence the data with: sort eventid. Now, I challenge you to sort on TimeWritten.
Challenge 2: In my opinion, it's not necessary to
include entryType in the Format-Table statement, but I challenge you to add it, and then see if I am right, or see if I am wrong to omit this property.
Challenge 3: I used the backtick ` to run one
command over two lines. You could try removing the backtick and making fewer, but longer lines. Other experiments that you could try with backtick include putting a ` at a different point in the script. Even
better, try for one long but efficient command, perhaps use only one variable.
I believe that PowerShell has a future. My mission is to get you started using this scripting language. What suits my learning style is concrete examples, where we learn by doing. It
is my belief that a good way to begin is by employing PowerShell to tackle everyday tasks such as reviewing the eventlogs.
Just by issuing a few variations of the command 'get-Eventlog system', you will soon get a feeling of the abilities of PowerShell. Moreover, as a bonus you will soon obtain useful information about events in your operating system. The command:
'get-Eventlog application' has a wide range of switches, for example -list and -newest. What is always instructive with any PowerShell command, is get-Member, for example: get-Eventlog system |
get-Member.
Please write in if you see errors of any kind. Please report any factual mistakes, grammatical errors or broken links, I will be happy to not only to correct the fault, but also to give you credit.
Guy
Recommends: Orion's NPM - Network Performance Monitor
Orion's performance monitor is designed for detecting network outages.
A network-centric
view make it easy to see what's working, and what needs your attention.
This utility guides you through troubleshooting by indicating whether the
root cause is faulty equipment or resource overload.