I have a report that gets generated by a script in powershell, it reports to me the event-logs of multiple servers. I didn't make the script, my former colleague did this. I'm new to powershell and just started to learn a bit about it.
I want to exclude a Citrix error event (EventID 110) that doesn't do any harm. (has to do with Session Reliability)
get-eventlog-log application-computername
$server -EntryType error-after $d |select eventid,machinename,entrytype, message, source, timegenerated | ConvertTo-Html
-Head $h -Title "Rapport Server eventlogs" | out-file -append $Report
get-eventlog -log application -computername $server -EntryType error -after $d |select eventid,machinename,entrytype, message, source, timegenerated| where {$_.eventid -ne 110} | ConvertTo-Html -Head $h -Title "Rapport Server eventlogs" | out-file -append $Report
Related
The following code in powershell creates a file with key/value pairs.
$result = #()
Get-EventLog -LogName Security -After ((Get-Date).AddDays(-5)) -InstanceId 4624 |
ForEach-Object {
if ($_.ReplacementStrings[5] -ne "SYSTEM")
{
$result += [PSCustomObject]#{
Time = $_.TimeGenerated
Workstation = $_.ReplacementStrings[11]
}
}
}
#$result | Export-Csv -Path .\Logins.csv -NoTypeInformation
$result | Out-File "C:\Temp\Logins.csv"
The above results in the following file contents:
However, I want the contents in CSV format. If I change the commented lines out as below:
$result = #()
Get-EventLog -LogName Security -After ((Get-Date).AddDays(-5)) -InstanceId 4624 |
ForEach-Object {
if ($_.ReplacementStrings[5] -ne "SYSTEM")
{
$result += [PSCustomObject]#{
Time = $_.TimeGenerated
Workstation = $_.ReplacementStrings[11]
}
}
}
$result | Export-Csv -Path .\Logins.csv -NoTypeInformation
#$result | Out-File "C:\Temp\Logins.csv"
Then I get the following:
Googling around through myriad pages and examples, I (mis?)understand this to be a hashtable and that the Export-Csv should work to create a csv file. I cannot seem to get it to work.
Any help is greatly appreciated.
Hmmm ... the following code works exactly like I'd expect it:
$result =
Get-EventLog -LogName Security -After ((Get-Date).AddDays(-5)) -InstanceId 4624 |
ForEach-Object {
if ($_.ReplacementStrings[5] -ne "SYSTEM") {
[PSCustomObject]#{
Time = $_.TimeGenerated
Workstation = $_.ReplacementStrings[11]
}
}
}
$result | Export-Csv -Path .\Logins.csv -NoTypeInformation
BTW: It is recommended not to use Get-Eventlog anymore. Use Get-WinEvent instead. ;-)
Another option could be just this:
Clear-Host
$result = #()
Get-EventLog -LogName Security -After ((Get-Date).AddDays(-1)) -InstanceId 4624 |
ForEach-Object {
if ($_.ReplacementStrings[5] -ne "SYSTEM")
{
$result += [PSCustomObject]#{
Time = $PSItem.TimeGenerated
Workstation = $PSItem.ReplacementStrings[11]
}
}
}
$result | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath 'Logins.csv'
Get-Content -Path 'Logins.csv'
# Results
<#
"Time","Workstation"
...
"06-Aug-22 16:45:37","-"
"06-Aug-22 16:45:17","-"
"06-Aug-22 16:44:29","-"
...
#>
Update as per my comment.
The results are the same as the above, either to the screen or the file:
Clear-Host
(Get-EventLog -LogName Security -After ((Get-Date).AddDays(-1)) -InstanceId 4624) -ne 'SYSTEM' |
Select-Object -Property #{Name = 'Time';Expression = {$PSItem.TimeGenerated}},
#{Name = 'Workstation';Expression = {$PSItem.ReplacementStrings[11]}} |
Export-Csv -Path 'Logins.csv'
Get-Content -Path 'Logins.csv'
I'm attempting to automate a loop that goes through our servers collecting logs from eventviewer to later export into a webpage which works just fine, BUT, I would like to add a property to this list or possible modify an existing read-only property.
Here is the scriptlines I'm using:
$eventlog = (Get-EventLog -LogName system -Newest 5 -EntryType Error)
$eventlog | Select-Object Source,Message,MachineName | ConvertTo-Html -Head $a | Out-File C:\logs.htm
The only real issue here is that the property "MachineName" list "name.domain.com" instead of just "name", so I went ahead and added the following:
$eventlog | ForEach-Object {
$_.MachineName=$env:COMPUTERNAME
}
This was stopped because the property is read-only so I thought I could perhaps add a property to my object and just populate it with a variable which I still believe should work but I'm not getting the hang of how Add-Memberworks fully.
Here is how I went about it:
$eventlog | Add-Member -Name Hostname -Value $env:COMPUTERNAME
or
Add-Member -InputObject $eventlog -Name Hostname -Value $env:COMPUTERNAME
Obviously this alone doesn't work but I can't get my head around how the rest of the parameters are supposed to look. I'm also fairly certain the line above isn't even right but it's enough to make you understand what I'm trying to achieve and perhaps know of a better solution!
You could use a calculated property. This way you can modify read only properties or add new....
$eventlog = (Get-EventLog -LogName system -Newest 5 -EntryType Error)
$eventlog | Select-Object Source,Message, #{l='MachineName'; e={$env:COMPUTERNAME}} |
ConvertTo-Html -Head $a |
Out-File C:\logs.htm
$eventlog | Add-Member -Name 'Hostname' -Value $env:COMPUTERNAME -MemberType NoteProperty
$eventlog | Select ...,hostname | ConvertTo-Html -Head $a | Out-File C:\logs.htm
So i have this code below that collects the stated EventIDs with the use of append. The problem is have is it only saves to a single file. What i want to do is save the collection to a daily file so i can do a daily report. A little help please?
$endtime = Get-Date
$starttime = (Get-Date).AddHours(-3)
$domain = "ComputerName"
$event = get-eventlog security -ComputerName $domain -after $starttime -before $endtime | where-object {($_.EventID -eq 4724) -or ($_.EventID -eq 4723) -or ($_.EventID -eq 4720)}
$event | select MachineName,EventID,TimeGenerated,Message | export-csv -path "E:\EventLogs\temp.csv"
get-content "E:\EventLogs\temp.csv" | out-File -filepath "E:\EventLogs\AccountAudit.csv" -append -enc ASCII -width 500
Export-Csv Has an -Append Parameter as well, you can shorten your code to:
$event = get-eventlog security -ComputerName $domain -after $starttime -before $endtime |
Where-object {($_.EventID -eq 4724) -or ($_.EventID -eq 4723) -or ($_.EventID -eq 4720)}
$event | select MachineName,EventID,TimeGenerated,Message |
Export-Csv -path "E:\EventLogs\AccountAudit.csv" -Append -Encoding ASCII
Simply add a get-start with some parameters to get a date that's filename friendly (no "/" for example) and save it in a variable. Then replace AccountAudit on the last line with the variable.
I am extremely new to PowerShell I am trying to create a script that will look thought the system event log and pull out the items that match Error, Verbose , and Warnings; Then I want to export them to a CSV file.
I was able to get each of the variables created for the $errorlog, $verboselog, and $warninglog (shown below).
$errorlog = Get-EventLog system -Newest 200 | Where-Object {$_.entryType -Match 'Error'}
$verboselog = Get-EventLog system -Newest 200 | Where-Object {$_.entryType -Match 'Verbose'}
$warninglog = Get-EventLog system -Newest 200 | Where-Object {$_.entryType -Match 'Warning'}
When I go ahead and try export them to one CSV file it just displays the $errorlog. From what I have gather from various websites the command I am using should be working.
$errorlog,$verboselog,$waninglog | Export-CSV -inputobject -path 'C:\service\test.CSV'
It is tell me that is it missing '-inputobject' so I moved the variables around to look like the following.
Export-CSV -inputobject $errorlog,$verboselog,$warninglog -path 'C:\service\test.CSV'
It exported with out error but it didn't display the data I wanted in the file.
I thank you in advance for your help.
$errorlog = Get-EventLog system -Newest 200| Where-Object {$_.entryType -eq 'Error'}
$verboselog = Get-EventLog system -Newest 200| Where-Object {$_.entryType -eq 'Verbose'}
$warninglog = Get-EventLog system -Newest 200| Where-Object {$_.entryType -eq 'Warning'}
$errorlog+$verboselog+$warninglog | Export-Csv C:\service\test.CSV
I replaced the -match with -eq and dropped the inputobject switch. I also changed the commas to plus symbols to concantinate the results. This worked for me.
How can I make this use a list of servers
Tried doing $ComputerList = gc <list location> but it doesnt seem to be working
correctly with one computer
$Start = (Get-Date).AddMinutes(-120)
$ComputerList = $env:ComputerName
$Events = gc C:\Temp\ErrorCodes.txt
# Getting all event logs
Get-EventLog -AsString -ComputerName $Computername |
ForEach-Object {
# write status info
Write-Progress -Activity "Checking Eventlogs on \\$ComputerName" -Status $_
# get event entries and add the name of the log this came from
Get-EventLog -LogName $_ -EntryType Error, Warning -After $Start -ComputerName $ComputerName -ErrorAction SilentlyContinue |
Add-Member NoteProperty EventLog $_ -PassThru | Where-Object {$Events -contains $_.eventid}
} |
# sort descending
Sort-Object -Property EventLog |
# select the properties for the report
Select-Object EventLog, EventID, TimeGenerated, EntryType, Source, Message
# output into grid view window
Out-GridView -Title "All Errors & Warnings from \\$Computername"
Force it to be an array.. Otherwise it will come in as a string if there is only one item
$ComputerList = #(gc c:\folder\computerlist.txt)
PowerShell: How can I to force to get a result as an Array instead of Object