Introduction to Scripting the Eventlog with PowerShell
Let
us begin by taking stock of the operating system's event logs. In our hearts, we know that we should be looking at these logs more often. We also know that when we see those red dots in the
event
viewer, we should take action to correct the corresponding error message.
Thus we have a task for PowerShell; in fact, we have a marriage made in heaven. PowerShell will help us review the system, application and other logs, while the event logs
themselves will act as a vehicle for learning more about PowerShell's
benefits, capabilities and syntax.
In the case of Windows 7 and Server
2008, you don't need to download any extra files, just 'Add Feature' Windows PowerShell.
However, for older operating systems, installing can be confusing because
there are different versions of PowerShell for XP, Windows Server 2003 and
Vista. For such legacy systems only, you need to
download PowerShell from Microsoft's site.
Once you have installed PowerShell 2.0, I recommend choosing the
ISE (Integrated Scripting Engine) version, it
will save you buying a text editor.
Our first task is to enumerate the event logs present on your
machine. Therefore, to discover whether your computer has 3, 6, or more
individual
logs, append the -list parameter to the Get-Eventlog command:
# PowerShell script to enumerate the event logs. Get-Eventlog -list
Learning Points
Note 1a: You may have guessed that the hash # symbol is PowerShell's way of introducing a
comment.
Note 1b: -list is correct, please note that you do
need that dash to introduce a PowerShell parameter.
Action Point:
Please launch your Event Viewer; PowerShell scripts benefit from a visit to the actual logs,
so my challenge is to adjust the 'Retain' time and the Overflow action
manually..
This is my way of encouraging you to have the GUI open to compare with the
PowerShell scripts.
Action Point: PowerShell v 2.0 has a new cmdlet
called Get-WinEvent use this to
list even more eventlogs.
Key point, Get-Eventlog is followed by the name of the log, in this case
'system'.
# PowerShell script to search Error messages in the System eventlog.
Clear-Host Get-Eventlog system -newest 2000 | where {$_.entryType -match "Error"}
Learning Points
I realize that most people will just copy and paste my script, but for those want to look behind the script, or those who get stuck, I provide 'Learning Points'. My
greatest joy is if you would experiment with my code, for example, change
-newest 2000 to 10000; or more adventurously, change Get-Eventlog system to Get-Eventlog application.
Note
2a: When you want Powershell to search
an event log could simplify the script further and just type: Get-Eventlog system
Note
2b: Each
word, and indeed every symbol, has deep meaning to PowerShell. (|)
pipes the output of the first clause into the 'Where' statement. As a result the output is filtered so that you see only error messages, and not information or warning messages.
Note
2c:
PowerShell supports a whole family of conditional statements, for example, -like, -contains, or even plain -eq (equals), but for this job, I choose
-match.
Guy Recommends: Solarwinds' Log & Event Management Tool
LEM will alert you to problems such as when a key
application on a particular server is unavailable. It can also
detect when services have stopped, or if there is a
network latency problem. Perhaps this log and event management
tool's most interesting ability is to take corrective action, for
example by
restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people
use LEM is for its
compliance capability, with a little help from you, it will ensure that your organization complies with industry
standards such as CISP or FERPA. LEM is a really smart
application that can make correlations between data in different logs,
then use its built-in logic to take corrective action, to restart services,
or thwart potential security breaches.
This example produces a very similar result to
the example above. The whole point of the extra code is to give us more control over the output.
There are numerous ways that you could achieve the same list of events; indeed, many of them are technically superior to mine. However, while we are in learning mode, as opposed to production mode, I feel strongly that this script should demonstrate useful PowerShell features
such as: $Variables, pipeline, format-Table and the tiny ` backtick.
# Cmdlet to find latest 2000 errors in the System eventlog Clear-Host $SysEvent = Get-Eventlog -logname system -newest 2000 $SysError = $SysEvent |where {$_.entryType -match "Error"} $SysError | sort eventid | ` Format-Table EventID, Source, TimeWritten,
Message -auto
Learning Points
Note 3a: Guy loves variables. In PowerShell you just declare variables with a $dollar sign. There is nothing else you need to do!
Note 3b: In Example 1 we employed one pipeline (|), whereas this script has three (|)s. This technique of using the output of the first clause as the input of the second clause, is a
characteristic benefit of PowerShell.
Challenge 1: I chose to sequence the data with: sort eventid. Now, I challenge you to sort on TimeWritten.
Challenge 2: In my opinion, it's not necessary to
include entryType in the Format-Table statement, but I challenge you to add it, and then see if I am right, or see if I am wrong to omit this property.
Challenge 3: I used the backtick ` to run one
command over two lines. You could try removing the backtick and making fewer, but longer lines. Other experiments that you could try with backtick include putting a ` at a different point in the script. Even
better, try for one long but efficient command, perhaps use only one variable.
Guy Recommends: A Free Trial of the Network Performance Monitor
(NPM)
Solarwinds'
Orion performance monitor
will help you discover what's happening on your network. This
utility will also guide you through troubleshooting; the dashboard will
indicate whether the root cause is a broken link, faulty equipment or
resource overload.
Perhaps the NPM's best feature is the way it suggests solutions to network
problems. Its
second best feature is the ability to monitor the health of individual VMWare
virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you take advantage of Solarwinds' offer.
Whenever you discover a new PowerShell command, it benefits from being
surveyed with what I call the 'Trusty Twosome'. In this instance,
if you research a verb-noun command with Get-Help and Get-Member, then
you are sure to unearth new scripting possibilities. To see what I mean
try:
Get-Help confirms support for the
-ComputerName parameter, thus in addition to using Event Viewer,
PowerShell can interrogate those logs on
network machines.
Get-Help also displays useful parameters such as: -list, -logname, and -newest.
Indeed, the first thing to remember about Get-Eventlog is that it needs the name of the log, for example: Get-Eventlog system. Remember that PowerShell is looking for a positional argument, thus 'system' is the name of the log and is
an argument, and not a parameter.
To determine this difference, PowerShell expects a parameter to be introduced with a -dash, whereas an argument is preceded by only a space.
Other names of logs that you can substitute for 'system' are: Application, Security and even PowerShell itself
has a log. Windows Server is
likely to have yet more
logs, for example, Directory Service and DNS Server.
I believe that PowerShell has a future. My mission is to get you started using this scripting language. What suits my learning style is concrete examples, where we learn by doing. It
is my belief that a good way to begin is by employing PowerShell to tackle everyday tasks such as reviewing the
multitude of event logs.
Just by issuing a few variations of the command 'Get-Eventlog system', you will soon get a feeling of the abilities of PowerShell. Moreover, as a bonus you will soon obtain useful information about events in your operating system. The command: 'Get-Eventlog application' has a wide range of switches, for example -list and -newest. What is always instructive with any PowerShell command, is Get-Member, for example:
Get-Eventlog system |
Get-Member.
If you like this page then please share it with your friends
See more PowerShell examples to read, write and list Windows event logs
Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.
Windows Management Instrumentation (WMI) is one of the hidden
treasures of Microsoft operating systems.
Fortunately, Solarwinds
have created the
Free WMI Monitor so that you can actually see and understand these gems of
performance information. Take the guess work out of which
WMI counters to use for applications like Microsoft Active Directory,
SQL or Exchange Server.
