Read selected events from the event log

This topic contains 5 replies, has 4 voices, and was last updated by  Shack 4 years, 5 months ago.

  • Author
    Posts
  • #7663

    Shack
    Participant

    I am new to powershell and need some help.  I am creating a script to be run as a scheduled task at startup to look for event log entries of unexpected shutdown.  I am only interested in the events that occured within the last hour of startup.  If an event is found, an email is sent to the helpdesk.  The script I created works if an entry exists but errors if it does not. It fails because nothing is found to assign to the variable. How can I handle that situation?

    $UnexpectedReboot=Get-EventLog -LogName System -EntryType Error -Source EventLog -After (Get-Date).AddHours(-1) -Newest 1
    Send-MailMessage -To Helpdesk@company.com -From "UnexpectedShutdown@company.com" -SmtpServer mailserver.company.com -Subject "Unexpected shutdown: $env:COMPUTERNAME" -Body $UnexpectedReboot.Message

    The error is:

    Get-EventLog : No matches found
    At line:1 char:19
    + $UnexpectedReboot=Get-EventLog -LogName System -EntryType Error -Source EventLog ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (:) [Get-EventLog], ArgumentException
    + FullyQualifiedErrorId : GetEventLogNoEntriesFound,Microsoft.PowerShell.Commands.GetEventLogCommand

  • #7667

    Don Jones
    Keymaster

    It depends on what you'd like to do. You could add -ErrorAction SilentlyContinue to the command, which will suppress the error. You could then check and see if $UnexpectedReboot was empty or not. That'll probably be difficult to do in a one-liner; this would be easier for you if you broke these commands out into a short script.

  • #7677

    Art Beane
    Member

    An alternative would be to add -ErrorAction Stop to your Get-EventLog call and enclose the scriptlet in a Try/Catch block. Since you want to ignore the case where no unexpected reboot occurred, the catch block can be empty.

  • #7678

    Shack
    Participant

    Thank you, Don and Art.  I tried Stop first since it was the shorter solution and I believe in KISS.  But it still returned an error.  I don't like errors even if they don't affect he result.  SilentlyContinue did not return a error.  I solved the problem of $UnexpectedReboot being empty with an If statement.  Here is my solution:

    $UnexpectedReboot=Get-EventLog -LogName System -EntryType Error -Source EventLog -After (Get-Date).AddHours(-1) -Newest 1 -ErrorAction SilentlyContinue
    If ($UnexpectedReboot -ne $null) {Send-MailMessage -To Helpdesk@company.com -From "UnexpectedShutdown@company.com" -SmtpServer mailserver.company.com -Subject "Unexpected shutdown: $env:COMPUTERNAME" -Body $UnexpectedReboot.Message}

    Don, since I am new to PowerShell I am going to try to break this out into a short script for practice and exerience.

    This was a good problem for me.  I learned something!

  • #7700

    JasonMorgan
    Member

    Two things pop for me right away:

    If ($UnexpectedReboot -ne $Null)

    can be replaced with

    if ($Unexpectedreboot)

    The second option will always return true if the variable has a value other than false.  If it's empty then it won't go through.

     

    The other thing is are you sure that you're getting the right event log information?  it might be better to look for a particular event ID.  Right now you're just pulling any error in the system log that happened within the hour before the script was run.

  • #7708

    Shack
    Participant

    Don, I wrote it as a script.  It makes it a lot more readable.  Thank you for the suggestion.

You must be logged in to reply to this topic.