I run the command wevtutil qe Application /rd:false /f:text and I get an output as shown below. After sometime new event logs could have generated and I want to read only these new event logs i.e. Event[2], Event[3], Event[4] etc.
How can I use wevtutil tool to generate only these new event logs?
Event[0]:
Log Name: Application
Source: Microsoft-Windows-LoadPerf
Date: 2016-04-21T23:15:16.832
Event ID: 1000
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: WIN-IONOGQTF9O5
Description:
Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service.
Event[1]:
Log Name: Application
Source: Microsoft-Windows-LoadPerf
Date: Date: 2016-04-21T23:15:13.097
Event ID: 3011
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: WIN-IONOGQTF9O5
Description:
Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.
weventil is not PowerShell so I was mislead. However, you could just do this:
Get-EventLog -LogName Application -Newest -After ( Get-Date ).AddDays(-1)
/rd:false will read the oldest first so if your looking for newest it may not be the best query.
I'm not aware of a read/unread tag for eventlogs, you could create a custom object and add one but that may not be the best way to go around it.
You can also do the below
$lastRanDate = "2018-11-30T17:20:55" ##import from a txt file
$date = Get-date -UFormat %Y-%m-%dT%H:%M:%S
##Get's current date and formats as following example 2018-12-01T17:17:45
$difference = New-TimeSpan -Start $lastRanDate -End $date
##Calculate difference between start time and end time
$difference = $difference.TotalMilliseconds
wevtutil epl Application "C:\Users\Pipastrilo\Desktop\appTest.evtx" /q:"*[System[TimeCreated[timediff(#SystemTime) <= $difference]]]"
## exportLog logName Path query(TimeCreated between current and HowManayMillisecondsAgo
$lastRanDate = $date
##export $lastRunDate for future searches
Related
I'm importing a CSV file and I need to return the most recent logged in date for a specific hostname. Any ideas? I've been trying to group objects and run a for-each on them but I can't manage to pull the latest. Here's an example of the data:
e.g. for mypc1 I want to return an object that includes the hostname, username and also the date of the latest login. In this case 2022-08-15 07:51:51.
Computer Name
Username
Date
mypc1
jcitizen
2022-07-06 18:00:20
mypc1
bmcgee
2022-08-15 07:51:51
mypc1
jmarsh
2021-05-25 12:49:14
mypc2
jmarsh
2022-08-12 07:45:55
mypc2
jsmith
2022-03-12 07:00:07
mypc3
osmith
2022-08-08 08:36:03
mypc3
moliver
2022-08-08 07:37:27
I need to parse Windows Defender event log. With this command
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object { $_.LevelDisplayName -ne "Information" } | Select-Object -ExpandProperty Message
I get this output:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/TFTPD32&threatid=12892&enterprise=0
Name: Trojan:Win32/TFTPD32
ID: 12892
Severity: Severe
Category: Trojan
Path: file:_\\server\share\path\file1.exe::$DATA; file:_\\server\share\path\file2.exe::$DATA; file:_\\server\share\path\file3.exe::$DATA;
Detection Origin: Network share
Detection Type: Concrete
Detection Source: Real-Time Protection
User: DOMAIN\user
Process Name: C:\Windows\SMSProxy\Microsoft.StorageMigration.Proxy.Service.exe
Signature Version: AV: 1.335.1263.0, AS: 1.335.1263.0, NIS: 1.335.1263.0
Engine Version: AM: 1.1.18000.5, NIS: 1.1.18000.5
When there are multiple files and the line starting with Path: is very long, it is truncated. Not the message property, but only the line.
When I see the record using Event Log viewer, the line is complete.
Is there a way to get full length of the line?
I need to get lines with Name: and Path: from the Message property (multi-line string) only.
How can I get it using e.g. RegEx ^\s+(Name|Path): ?
Update:
I mishmatched event log records, even in Event Log the line Path is truncated.
The second part of the question remains: How to get only some lines from multiline property?
Hello everyone and thanks in advance for the possible answers.
Where I work we have different WS2016 virtual machines and we read that the updates could be a pain due to the very long time they could take and we can't stay a lot with the services down (we have several virtual machines to update soon).
In the same thread we read an advice: cleaning the WinSXS folder could drastically reduce this time.
WS2016 already has this scheduled but it has got a 1 hour timeout so if it takes more than that the process gets killed.
The solution is creating the schedule manually so we made a script for this that checks the current date and the last update date and, if the difference is more than 30 days, it runs the command:
dism.exe /Online /Cleanup-Image /AnalyzeComponentStore
and then the command:
dism.exe /Online /Cleanup-Image /StartComponentCleanup
Now the real question...One of the results of AnalyzeComponentStore is:
Component Store Cleanup Recommended
And the answer could be Yes or No
Is there a way to check if this value is "Yes" (so launch the StartComponentCleanup) or "No" (so exit from the script)?
Thanks again!
#Doug Maurer...this is the result of the AnalyzeComponentStore
PS C:> dism.exe /Online /Cleanup-Image /AnalyzeComponentStore
Deployment Image Servicing and Management tool
Version: 10.0.14393.3750
Image Version: 10.0.14393.3241
[===========================99.7%========================= ]
Component Store (WinSxS) information:
Windows Explorer Reported Size of Component Store : 8.08 GB
Actual Size of Component Store : 7.94 GB
Shared with Windows : 6.12 GB
Backups and Disabled Features : 1.49 GB
Cache and Temporary Data : 323.47 MB
Date of Last Cleanup : 2016-09-12 13:40:35
Number of Reclaimable Packages : 0
Component Store Cleanup Recommended : Yes
The operation completed successfully.
PS C:>
There are several ways to achieve this, I will list two and you can choose the one you like better. Others may offer alternative approaches.
First using Select-String - simply pipe the output into select string
$output = #'
Deployment Image Servicing and Management tool Version: 10.0.14393.3750
Image Version: 10.0.14393.3241
[===========================99.7%========================= ]
Component Store (WinSxS) information:
Windows Explorer Reported Size of Component Store : 8.08 GB
Actual Size of Component Store : 7.94 GB
Shared with Windows : 6.12 GB
Backups and Disabled Features : 1.49 GB
Cache and Temporary Data : 323.47 MB
Date of Last Cleanup : 2016-09-12 13:40:35
Number of Reclaimable Packages : 0
Component Store Cleanup Recommended : Yes
The operation completed successfully.
'#
$output | Select-String "Component Store Cleanup Recommended : (\w*)" | foreach {$_.matches.groups[1].value}
I used the outvariable paremeter of Foreach, you could also just assign normally
$cleanup = $output | Select-String "Component Store Cleanup Recommended : (\w*)" | foreach {$_.matches.groups[1].value}
Second suggestion is to use -Match
$cleanup = if($output -match "Component Store Cleanup Recommended : (\w*)"){$matches[1]}
Both will end up setting $cleanup to the yes/no value you're after.
Get-Variable cleanup
Name Value
---- -----
cleanup {Yes}
Now you can simply check if it's yes and run the cleanup if so.
if($cleanup -eq 'yes'){"run cleanup code"}
I am creating an event log with PowerShell using the following command:
New-EventLog -LogName "TestLog" -Source "TestLog_Source"
The log gets created but all of its properties are blank.
I've tried removing the log and re-running the command and it has not worked.
Log Name:
Source:
Event ID:
Level:
User:
OpCode:
More information: Event Log Online Help
I also notice that the application is not actually logging anything to the log either. The above is what the first column of the event log properties at the bottom shows me. There are other event logs on the server that show those values populated.
I am using the PowerShell module BEMCLI and I want to create a report with these columns: list of servers, Jobs associated to the server with the last successful run.
I can get the list of servers with: Get-BEAgentServer
I can get also the list of jobs in success in a period with:
Get-BEJobHistory -JobStatus Succeeded -FromStartTime (Get-Date).AddHours(-24) | ft -auto
Is there an easy way to get what I want?