Need Help on Comparing Event Logs Dates and Times

This topic contains 0 replies, has 1 voice, and was last updated by Profile photo of Forums Archives Forums Archives 5 years, 3 months ago.

  • Author
    Posts
  • #5216

    by jawhitm at 2012-10-20 03:20:24

    Hello everyone,

    I am looking for some guideance. I am looking to use powershell to alert me if a specific event has occurred in the event log. I know how to get the timegenerated and the message of the event log so that isn't a problem.

    My problem is this:

    1. I am going to record the time generated of the first event found that matches my criteria (I am looking for a specific phrase in the event log)
    2. Since I do not want to get alerted every 2 minutes that it is occurring I only want to be re-alerted IF the event is greater than 2 hours.

    So that is my problem is comparing the two times and determining if it is greater than 2 hours since the last alert recorded in the event log.

    For example if the text file of the alert that last alerted was listed in the file as:

    Saturday, October 20, 2012 2:31:11 AM

    and the script checks the event log again and it found another event and that Time generated says

    Saturday, October 20, 2012 2:41:11 AM

    I don't want it to do anything because it already alerted within a 2 hour period

    Now if it was

    Saturday, October 20, 2012 2:31:11 AM

    and the new event says

    Saturday, October 20, 2012 4:35:10 AM

    then it will alert again because the alert is over 2 hours.

    Now this is where I have a problem.

    1. How can I compare these two dates and times and determine if it is within 2 hours or if it is greater than 2 hours

    Now the next issue

    If the first alert occurred on a different date like 10/19/2012 at 12:59am then I don't want it to realert at 1:00am because the time thinks it is more than 2 hours.

    Hope this information helps what i am trying to do. I am just looking for how to compare to event log time generated and determine if it is greater than 2 hours. I know how to do everything else this is just the last thing remaining.

    Thank you everyone.

    by megamorf at 2012-10-20 15:07:44

    You could do it like so:

    Let's generate two dates, one which will be within the specified 2 hour range and one won't.

    #Base date to generate two test dates
    $date = get-date
    $date

    Saturday, 20. October 2012 23:51:15

    $dateCheckFails = $date.AddHours(1) #0:51 - event occurs after $lastevent
    $dateCheckSucceeds = $date.AddHours(3) #2:51 - event occurs after $lastevent
    $lastEvent = get-date #23:52

    # This check will resolve to negative because the date difference is less than two hours
    if($dateCheckFails -gt $lastevent.AddHours(2)){"positive"}else{"negative"}
    negative

    # This, however, will return positive because this alarm was recorded more than 2 hours after $lastevent
    if($dateChecksucceeds -gt $lastevent.AddHours(2)){"positive"}else{"negative"}
    positive

    by Jason_Yoder_MCT at 2012-10-21 11:45:40

    Hi Jawhitm,

    I think this will help.
    Function Get-EventTimeSpan
    {
    Param (
    [Parameter(Mandatory=$True)]$Hours
    )
    # Specify the criteria for your event here.
    $EventHash = @{LogName = "System"; ID = 1014}

    # Recover the first two events from the event log that matches
    # the criteria in the $EventHash data.
    $EventData = Get-WinEvent -FilterHashtable $EventHash -MaxEvents 2

    # Verify that at least two events were recovered from the log.
    # If there are less than 2 events recovered, Execute the ELSE
    # Statement. The Else statement should execute code if only one
    # or less events are found.
    If ($EventData.Count -eq 2)
    {
    If ((($EventData[0].TimeCreated).Subtract(($EventData[1].TimeCreated)).TotalHours) -lt $Hours)
    {
    # Return $False if the time between events is less than the
    # number of hours specified in $Hours.
    Write-Output $False
    }
    Else
    {
    # Return $False if the time between events is greater than the
    # number of hours specified in $Hours.
    Write-Output $True
    }
    } # End: If ($EventData.Count -lt 2)
    Else
    {
    #If there are less than 2 events in the event log, return $False
    Write-Output $False
    } # End: Else Statement for If ($EventData.Count -lt 2)

    } # ---- End Function Get-EventTimeSpan ---------------------------------------

    You can place this code at the start of your own code. It is a function that will stay in memory while your script is running.

    To use it, you simply call the name of the function followed by an integer that represents the number of hours you are interested in.

    Get-EventTimeSpan 2

    This example will return True if the time between events is greater than 2 hours. If it is less than 2 hours or if less than 2 events are in your event logs that meet your criteria, than False will be returned.

    In your code, you can test for True with this code.
    If (Get-EventTimeSpan 2)
    {
    Write-Host "Take Action"
    }

    Replace the Write-Host statement with what you need to accomplish.
    This code has some flexibility built into it using the –FilterHashTable parameter of Get-WinEvent. If you need help with the –FilterHashTable parameter, take a look at
    Get-Help Get-WinEvent –Parameter FilterHashTable.
    The Value key-value pairs should be what you are looking for.

    Thank you for making my long flight from Seattle to Newark a bit more interesting. Let me know if this helps.
    Jason

    by jawhitm at 2012-10-30 02:28:14

    Thank you for the suggestions. It really helped and it is working as expected

You must be logged in to reply to this topic.