Showing posts with label Event Log. Show all posts
Showing posts with label Event Log. Show all posts

Monday, January 6, 2014

Part-7: Working with Event Logs using PowerShell :- Clearing Event Entries and Removing Event Log.

 

Part-1: Working with Event Logs using PowerShell

Part–2 : Working with Event Logs using PowerShell :- Get-EventLog

Part–3 : Working with Event Logs using PowerShell :- Get-EventLog

Part–4 : Working with Event Logs using PowerShell :- Get-WinEvent

Part–5 : Working with Event Logs using PowerShell :- Get-WinEvent

Part–6 : Working with Event Logs using PowerShell :- Creating New Event Logs and Event Entries

 

 

 

In my previous post, we talk about the usage of, New-EventLog and Write-EventLog, and we are almost at completion of this series.

Today we are going to use two more PowerShell cmdlets, Clear-EventLog and Remove-EventLog.

 

Clear-EventLog

 

It’s a very simple cmdlet, if you want to clear all event entries from any event log, you can use Clear-EventLog to clear it.

In our “MyPoshShell” event log, you can see there are 4 event entries. Let’s clear our event log.

Note: You have to run these cmdlets as Administrator.

clip_image002

 

Clear-EventLog -LogName 'MyPoshShell'

 

clip_image004

 

Now let’s see if out log is cleared or not, and indeed it is. You can see there are no event entries in the log now.

clip_image006

 

 

Remove-EventLog

 

It’s also another straight forward cmdlet like Clear-EventLog, usage is very simple, type the cmdlet and provide the name of the event log, which you want to delete.

This cmdlet remove complete log, not just entries.

Let’s remove our previously created “MyPoshLog”.

Remove-EventLog -LogName 'MyPoshShell'

Once you run the cmdlet, open the “Event Viewer” and see if logs is still their ;o) .

clip_image007

When you check, our “MyPoshShell” log is not there anymore.

clip_image008

 

 

I hope you have enjoyed this series J .

I hope I will come soon with another series.

 

Regards
Aman Dhally
clip_image017 clip_image018 clip_image019 clip_image020  clip_image021

 

               

Posted by at No comments:
Labels: , , , , , ,

Friday, January 3, 2014

Part– 6 : Working with Event Logs using PowerShell :- Creating New Event Logs and Event Entries.


Part-1: Working with Event Logs using PowerShell
Part–2 : Working with Event Logs using PowerShell :- Get-EventLog
Part–3 : Working with Event Logs using PowerShell :- Get-EventLog
Part–4 : Working with Event Logs using PowerShell :- Get-EventLog
Part–5 : Working with Event Logs using PowerShell :- Get-EventLog



Yesterday, I blogged about using –FilterXML and –FilterHashTable parameters in the Get-WinEvent cmdlet.
Today we are going to use two new cmdlets, New-EventLog and Write-EventLog  .

New-EventLog


Do you ever wish to create a new separate Event Log in Event Viewer, so that you can log all of your event entries there, if yes, this post is for you.

Creating a new separate event log is very simple and straight forward task.  You just need to use New-EventLog cmdlet and then use the –Logname parameter to provide a log name for the new event log, and then –Source parameter, to provide which type of source entries should be written in to this log.
New-EventLog -LogName "MyPoshShell" -Source "Scripts"
When you run the above command and Got error? , Yes, you have to run PowerShell as administrator to create a new Log,
clip_image002
Run PowerShell as Administrator and run the above command again, and you can see, there is No errors.
clip_image004

Now let’s open Event Viewer and see if our new Event Log is created yet or not, and you can see below, that it is there with, but with no event log entries.

 clip_image006

Now let’s write some event entries in the event log.

Write-EventLog


To write event entries in event log, we have to use Write-EventLog cmdlet.
Writing your own event entries, in your own Event log is good idea when you want to capture some information from the script.
Sometime, you may want to create an event entry if your PowerShell script is unable to take backup, or not able to ping any server and you want to record those output or results for future reference.
Note:- When you use Write-EventLog , to create an event log entry, make sure you use the same       –Source name, which you used before in the creating of the new  Event Log, otherwise you will get the below error.

clip_image008
Now let’s create a new event log entry, in our “MyPoshShell” log, with a Source type of “Scripts” and with Entry type “Information” and Event ID “1” and with a normal message that “Script for backing up data works successfully”.

Write-EventLog -LogName "MyPoshShell" -Source "Scripts" -EntryType 4 -EventId 1 -Message "Script for backing up data, works successfully"
clip_image010
And let’s see if this entry is created in our “MyPoshShell” log, and you can see it it’s there.

clip_image012

Now, let’s create another event log entry with an error message.
We didn’t change anything except the type of “Entry Type” and the “Event ID” and message.
Write-EventLog -LogName "MyPoshShell" -Source "Scripts" -EntryType 1 -EventId 9 -Message "Pinging Local DC from script failed, Please contact the INFRA team"

clip_image014
And you can see the event entry is created.
clip_image016
 That’s all for today.
See you in next blog article.

Regards
Aman Dhally
clip_image017 clip_image018 clip_image019 clip_image020  clip_image021

Posted by at No comments:
Labels: , , , , , , ,

Thursday, January 2, 2014

Part– 5 : Working with Event Logs using PowerShell :- Get-WinEvent

 

 

Part-1: Working with Event Logs using PowerShell

Part–2 : Working with Event Logs using PowerShell :- Get-EventLog

Part–3 : Working with Event Logs using PowerShell :- Get-EventLog

Part–4 : Working with Event Logs using PowerShell :- Get-EventLog

 

Before I start writing article, I do want to wish you  a very “Happy New year 2014”. I wish in this New Year, we all may manage to go home early, no server crashes, no cancelling of movie tickets or holidays because of our beloved core servers. No more waking up in late nights and no bugs is programs , no disk arrays crashes. ( do i am asking more? nope).

I have been very lazy in November and December because of lots of vacations and been busy with family.

It’s New Year and it’s time for me to start posting articles and blog post as the same pace like i was doing before.

This post is a part of our “Managing Event viewer using PowerShell” series.

Today We are going to use two best parameters of Get-WinEvent cmdlet. The first is –FilterHashTable and the second one is –FilterXML .

 

-FilterHashTable

We can query event logs by writing  a small hash table filter query, it is a combination of key=value pair, and it is case sensitive, we can use the following keys.

·         LogName

·          ProviderName

·         Path

·         Keywords

·         ID

·         Level

·         StartTime

·         EndTime

·         UserID

·         Data

·         *

Let’s create a small hash table to query DHCP log and try to find  errors those are created within 2 months of time.

 

$twoMonths = (get-date).AddDays(-60)

Get-WinEvent -FilterHashtable @{

 

    LogName='Microsoft-Windows-Dhcp-Client/Admin'

    Level = 2

    StartTime=$twoMonths

                                                                   

}

 

Simple isn’t ?

clip_image002

-FilterXML

We can also query Event logs using XML (if you love xml), to query in XML, we have to use the –FilterXML parameter.

Now the question arise, that we need to learn the XML first before using this parameter?, actually, NO!!!, we are allowed to do a little bit cheating here. Let me show how.

How to create a xml query filter for event logs?

1.       To create a XML query filter, open Event viewer and click on the log, on which you want to run XML query later on.

2.       Now Click on “Filter Current Log”

3.       clip_image004

4.       Now choose, what you want to query and filter,

       and I am creating a filter to create show me all logs those are created after 1st Nov 2013 and the type of level is “Error”.

5.       clip_image006

6.       Now Click on XML tab, and copy all the text below.

7.       clip_image008

8.       Now open your favourite PowerShell IDE, and type Get-WinEvent –FilterXML  “ “ and type blank opening and closing Double Quotes.

9.       clip_image009

10.   Now paste the XML text (which we copies from event Viewer) and paste it, in between the double quotes.

11.   Replace all Double quotes in XML text to Single quotes.(you can do this before too, before pasting the XML data here”.

12.   clip_image011

13.   Now your data should be looking like this.

14.   clip_image013

15.   Now run the command and you can see the output below.

16.   clip_image015

 

Get-WinEvent -FilterXml "

 

<QueryList>

  <Query Id='0' Path='Microsoft-Windows-Dhcp-Client/Admin'>

    <Select Path='Microsoft-Windows-Dhcp-Client/Admin'>*[System[(Level=2) and TimeCreated[@SystemTime&gt;='2013-11-01T08:24:06.000Z']]]</Select>

  </Query>

</QueryList>

 

"

clip_image017

I hope you enjoyed this post.

 

See you  in next blog post.

 

Regards

Aman Dhally

clip_image001 clip_image002 clip_image003 clip_image005  clip_image007

 

Posted by at 1 comment:
Labels: , , , ,
Subscribe to: Posts (Atom)