I'm new to PowerShell and am writing my first application. The application will check the state of a Windows service and (depending on a number of factors) can do a number of things, such as stop it, start it or restart it. I need to produce a log showing what it's done. I'm wanting to use modules so my code will be reusable and also flexible (for example, if I schedule it to run automatically, the log will need to be sent by e-mail or written to a text file, if I run it manually, I will want it outputting with something like Write-Host).
My question is, how do I create the log? In Java for example, I would use a log class with public void addToLog(String log) and public String getLog() methods which just deal with strings and leave it up to e-mail/display it etc.
I have a quite complex set of scripts for installing our platform (relying on BizTalk, SQL Server, Enterprise Single Sign-on, IIS, Enterprise Library and a few other things). These scripts start and stop services, BizTalk orchestrations, create or update databases and so on. I tried several things for logging and, finally, I picked log4net for its ease of use and flexibility. Using it from PowerShell is a breeze.
Refer to a similar question which I had asked on SO few days ago. Might help. I am using the same Logging Module referred there in the ANSWER - Powershell: Debug in Production / Good Exception Handling
If you need a log for people who are in charge of the production you can add your own application log using dedicated Cmdlets. A the moment I create and use one PowerShell log for all my scripts to publish details of the execution (information) and errors (in coordination with good exception handling) for people who are in charge of the production. You can dedicate a log for one script (as it exists a log for DNS etc.)
Here is an example :
# List of logs
Get-EventLog -list
# Creating your own log
New-EventLog -LogName "SlxScripting" -Source "MaSource"
# List of logs
Get-EventLog -list
# Writting in your own log
Write-EventLog -LogName "SlxScripting" -EventId 12 `
-Message "Mon Message"
-Source "MaSource" -EntryType Warning
# Reading in your own log
Get-EventLog -LogName "SlxScripting"
# Suppressing your log
Remove-EventLog -LogName "SlxScripting"
Related
I am trying to find a way to find out who has ran an application (for example SQL) on a server, just to get some idea.
I tried Get-Process but this doesn't give me historic information, I want to get historical information
Get-Process -IncludeUserName *
what I want the return resule is "name of application", "user who ran it" and the last datetime it was ran by that user'
As for ...
I am trying to find a way to find out who has ran an application (for
example SQL) on a server, just to get some idea.
What you are asking for here is software metering.
SQL is a service that is always running once it is installed, so, no individual user is ever going to be running it. So, that is a bad example. MS Word for example would be a better example.
Yet there is nothing native in PowerShell that does this, software metering, but of course PowerShell can look at event logs. Yet if your auditing is not setup correctly then it's moot. This is better for a software metering tool, and there are several out there. So, why try and reinvent the wheel.
As for ...
I tried Get-Process but this doesn't give me historic information, I
want to get historical information
That is not what a process is nor what Get-Process is for. It, Get-Process only checks for and lists whatever process is currently running, regardless of what/who launched it.
As for...
what I want the return resule is "name of application", "user who ran
it" and the last datetime it was ran by that user'
As long as the process is running, you can get this, with that cmdlet.
However, what are you trying to accomplish by this?
Again, there are purpose built tools to meter software use.
https://learn.microsoft.com/en-us/sccm/apps/deploy-use/monitor-app-usage-with-software-metering
If you must go down this reinvent the wheel road, using scripting, then you need a task watcher on the target machines, which watches for the WinWord process to appear.
Get-Process -IncludeUserName |
Where ProcessName -EQ 'Winword'
... you then write those results to a file or database or your own event log each time you see that process.
Use PowerShell to Create and to Use a New Event Log
New-EventLog -LogName ScriptingGuys -Source scripts
When the command runs, no output appears to the Windows PowerShell console. To ensure the command actually created a new event log, I use
the Get-EventLog cmdlet with the –List parameter. Here is the command
and the associated output.
Write-EventLog -LogName ScriptingGuys -Source scripts -Message “Dude, it works … COOL!” -EventId 0 -EntryType information
Or just to a file
Get-Process -IncludeUserName |
Where ProcessName -EQ 'Winword' |
Select-Object -Property Name, StartTime, Username |
Export-Csv -Path 'F:\Temp\AppLaunchLog.csv' -Append
Import-Csv -Path 'F:\Temp\AppLaunchLog.csv'
# Results
Name StartTime UserName
---- --------- --------
WINWORD 5/23/2019 9:02:53 PM WS01\LabUser001
Problem
I am trying to schedule a job that monitors events on remote machines.
I wrote the script based on the Get-EventLog command and it works properly when run by my account. But when I run the Get-EventLog as SYSTEM user, the .Message attribute of the returned objects shows the following error:
The description for Event ID '4724' in Source 'Microsoft-Windows-Security-Auditing' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event: {somedata}
When I use the Get-WinEvent command as SYSTEM user, the problem does not appear and the .Message part displays properly.
I would stick with Get-WinEvent, especially since the data is much easier to parse (thanks to the ToXML() method), but the Get-EventLog happens to be terribly faster :(
Question
Does anyone have any idea why the Get-EventLog fails to render .Message when run by SYSTEM user and perhaps how to fix it?
To avoid obvious answers:
the COMPUTER$ account is member of DOMAIN\Event Log Readers group,
the COMPUTER$ account does have the read privileges over the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security on remote machines,
obviously, the registry entries for Microsoft-Windows-Security-Auditing and related DLL's are identical on both the source and target computers.
Try:
Get-WinEvent -LogName “Microsoft-Windows-Security-Auditing” | where ID -eq 4724 | select-object -ExpandProperty Message
I've been looking around and can't find any way to create a custom view in the event viewer in Powershell.
I found a Microsoft Scripting Guy post about exporting one, but I'd like to create one from scratch. I'm using PowerShell 5.0.
Edit:
Looks like all the event logs are stored in %SystemRoot%\System32\Winevt\Logs\ and exist as .evtx files.
Edit:
The command:
New-EventLog -LogName "LogNameHere" -Source "Test"
does create LogNameHere.evtx in the %SystemRoot%\System32\Winevt\Logs\ directory. You can specify multiple sources, but this just allows those sources to write to the event log, and doesn't log all the information from those sources. (I'll check on that)
New-EventLog -LogName "LogNameHere" -Source "Test1", "Test2", "Test3"
I have a Windows Server 2008 running MicroSoft Exchange. The Audit Logs are stored in evtx and I am trying to export the logs to a 3rd party collector. The agents we have used (Snare Epilog, open source among them) do not recognized the evtx format and do not forward them to the collecting server.
I am attempting to implement a workaround via Powershell and Task Scheduler. The problem I am facing is that while I can access the evtx and save it as a .txt, I am reparsing the entire log every time. However, I would like to only send the new events every 5 minutes or less.
The code I am using is this:
$File = "C:\text.txt; Get-WinEvent -Path C:\test.evtx | Format-Table -AutoSize | Out-File $File -append -width 750
I really appreciate the help!
You could use Get-EventLog, rather than Get-WinEvent, then use the After parameter to only get the last five minutes of events or better still keep track of the most recent event message you have seen.
Here's how to get the last five minutes of the Application log.
Get-EventLog -LogName Application -After $((Get-Date).AddMinutes(-5))
I have a simple command to create a CSV file in powershell. Is there a way to log this information separate from the file? I will be needing to manipulate the CSV file, so I don't want to rely on it being my only way of logging the data.
You can also export the output of commands by using the > and >> operators.
example:
You can write all of the Adobe services and their information to a file with this code:
get-service -DisplayName Adobe* > C:\services.txt
if you wanted to append to that with Windows services:
get-service -DisplayName Windows* >> C:\services.txt
so if you wanted to export your CSV to a file you can easily do so by adding a > at the end of the command pointing to the filename you wish to export it to:
> C:\Log_$date.csv
and if you ever needed to append more logs you can simply do so by using the >>
>> C:\Log_$date.csv
if you use > it will overwrite and existing data in the file with new data. >> appends.
If you need a log for people who are in charge of the production you can add your own application log using dedicated Cmdlets. A the moment I create and use one PowerShell log for all my scripts to publish details of the execution (information) and errors (in coordination with good exception handling) for people who are in charge of the production. You can dedicate a log for one script (as it exists a log for DNS etc.)
Here is an example :
# List of logs
Get-EventLog -list
# Creating your own log
New-EventLog -LogName "SlxScripting" -Source "MaSource"
# List of logs
Get-EventLog -list
# Writting in your own log
Write-EventLog -LogName "SlxScripting" -EventId 12 `
-Message "Mon Message"
-Source "MaSource" -EntryType Warning
# Reading in your own log
Get-EventLog -LogName "SlxScripting"
# Suppressing your log
Remove-EventLog -LogName "SlxScripting"