Event Log help

This topic contains 5 replies, has 2 voices, and was last updated by  John K 3 years, 9 months ago.

  • Author
    Posts
  • #11146

    John K
    Participant

    Hi,

    I started a thread in the old forum but since then my account seems to have disappeared. I can see the old thread but it doesn't work...like my account.

    Before you read on, I should mention I'm a PS noob.

    I have been working a script that will contact a number of remote servers and check the application event log over the last 24 hours. I want any repeat alerts to simply count up rather than keep being displayed in the output.

    The problem I'm having is I tried using "group-object -property eventid". This provides me with a count of repeat alerts but kills the formatting.

    Here's my script and sample output with "group-object -property eventid" included. Without it the output is nice but doesn't give me a repeat count. Hopefully the web page doesn't mess it up.

    Invoke-Command -ComputerName (Get-Content C:\test_servers.txt) -Command {Get-EventLog -LogName application -EntryType Error, warning, information -After $(Get-Date).AddHours(-24)| Select-Object machinename, entrytype, message, source, eventid | group-object -property eventid| format-list}| out-file c:\test_eventlog_group.txt

    Sample output:
    Name : 1704
    Count : 2
    Group : {@{MachineName=SERVER1; EntryType=Information; Message=Security policy in the Group policy objects has been applied successfully.;
    Source=SceCli; EventID=1704}, @{MachineName=SERVER!; EntryType=Information; Message=Security policy in the Group policy objects has been applied
    successfully.; Source=SceCli; EventID=1704}}
    Values : {1704}

    Is seems all the content is contained in the "group" field.

    Any help appreciated.

  • #11147

    Dave Wyatt
    Moderator

    What do you want the output file to look like, ideally? I'm not sure what you're trying to accomplish with the Group-Object cmdlet yet.

  • #11148

    John K
    Participant

    This example would be nice..

    MachineName :
    EntryType : Information
    Message : Security policy in the Group policy objects has been applied successfully.
    Source : SceCli
    EventID : 1704
    Count : The amount of time this alert has repeated.

    Next server Same again.

    I hoped by grouping the alerts by eventID I would be able to achieve the above.

  • #11149

    Dave Wyatt
    Moderator

    OK, you're on the right track. I haven't tested this code, but something like this might work. I've separated the code out into multiple lines to make it more readable. The main change is that instead of outputting the GroupInfo objects to a file, I took the first actual event object and added a "Count" property to it, and that's what gets passed on to Format-List and Out-File.

    On a side note, you might want to group by both EventID and Source (as that's what uniquely identifies a type of event), rather than just EventID. I've shown how to do that in the example below.

    Edit: Moved the ForEach-Object loop back into the remote script block, to improve performance (reducing the amount of traffic sent over the network.)

    $remoteScriptBlock = {
        Get-EventLog -LogName application -EntryType Error, warning, information -After (Get-Date).AddHours(-24) |
        Select-Object machinename, entrytype, message, source, eventid |
        Group-Object -Property EventID, Source |
        ForEach-Object {
            $groupInfo = $_
            Add-Member -InputObject $groupInfo.Group[0] -MemberType NoteProperty -Name Count -Value $groupInfo.Count -PassThru
        }
    }
    
    Invoke-Command -ComputerName (Get-Content C:\test_servers.txt) -Command $remoteScriptBlock |
    Format-List |
    Out-File c:\test_eventlog_group.txt
    
    
    
  • #11150

    John K
    Participant

    Thanks Dave, I really appreciate your help.

    I'll try and give this a test this afternoon. No doubt I'll have more questions 🙂

  • #11807

    John K
    Participant

    Hi Dave,

    I tested this script and it works perfectly. Once again thanks for your time and sharing your knowledge.

    Regards,

    John.

You must be logged in to reply to this topic.