Proper way to correlate winevents

Ask your PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 6 years and 6 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked
User avatar
obrienc
Posts: 59
Last visit: Wed Apr 20, 2022 5:43 am

Proper way to correlate winevents

Post by obrienc »

I fetch some events and put them into an email report. So far the report contains info from only 1 event. I want to add a new field to the report that gets info from another event. The event runs daily. Both events have a computer name.

I think I want to gather all of the newfield events in 1 shot at the beginning of the script and save to a variable then create a new object with the other information to combine it. Is this the right way?

Event, Computer, some info, date, newfield(from another event has computer name, some info in it)
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Proper way to correlate winevents

Post by jvierra »

Without some example of your code there is no way to know what you are trying to do or what you are doing wrong.
User avatar
obrienc
Posts: 59
Last visit: Wed Apr 20, 2022 5:43 am

Re: Proper way to correlate winevents

Post by obrienc »

For us, this will generate a report saying a VM has been migrated to Hyper-V from VMWare but it hasn't yet been turned on or failed over and put into the cluster. Our process waits for resources to coordinate and verify when we turn it on, add to cluster etc..

I want to add another header to this from a separate event. The event says that replication has been completed and shows the computer name. My question is more high level, I know how to get that info from Get-WinEvent but I think what I need to do is fetch all of the events with that ID showing replication is completed first and then for each one of these below add it to the header? It seems redundant to fetch all those events everyday. Just trying to wrap my head around how to get it into this.

Code: Select all

$message.Body = Get-SCVirtualMachine -VMMServer myvmmserver|where {$_.StatusString -eq "Stopped" -and $_.IsHighlyAvailable -eq $false -and $_.Cloud -ne $null} |Select Name,CreationTime,Cloud,VMHost,NewField(((ReplicationCompleted)))|Sort CreationTime|ConvertTo-Html -Head $style
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Proper way to correlate winevents

Post by jvierra »

I cannot read your code and your question does not to seem to have any relation to the code posted.
Here is how to format code so that it is readable.

Code: Select all

$html = Get-SCVirtualMachine -VMMServer myvmmserver | 
	Where-Object { 
		$_.StatusString -eq 'Stopped' -and $_.IsHighlyAvailable -and $_.Cloud
	} | 
	Sort-Object CreationTime | 
	Select-Object Name, CreationTime, Cloud, VMHost, NewField(((ReplicationCompleted))) | 
	ConvertTo-Html -Head $style |
	Out-String
This part "NewField(((ReplicationCompleted)))" is meaningless in a "Select-Object" statement.

Out-String is a required conversion for an email body.
User avatar
obrienc
Posts: 59
Last visit: Wed Apr 20, 2022 5:43 am

Re: Proper way to correlate winevents

Post by obrienc »

Thanks for the reply. I should have been more clear. What I meant to convey was the NewField(((Replicated))) is what I am trying to insert the 6150 event into the report.

I came up with this. Hopefully you can see what I am after. Would you recommend another way to do this?

Code: Select all

## This tells me the machine has been created on the VMM side
$migrated = Get-SCVirtualMachine -VMMServer vmmserver|where {
    $_.StatusString -eq "Stopped" -and $_.IsHighlyAvailable -eq $false -and $_.Cloud -ne $null
    }
## This is the event that tells me the machine has replicated and want it added
$rc = Get-WinEvent @{ 
    LogName = 'ForwardedEvents'; ID = 6150 
    }
## This takes the event xml for each 6150 and pulls out the machine name
$ff = @()
foreach($r in $rc){
    [xml]$xmlEvent = $r.ToXml()
    $ph = $xmlEvent.Event.EventData.Data[0] -split 'to '
    $ff += $ph[0].Trim()
}

## This takes the migrated list and tells me if it has fully replicated or not
ForEach($w in $migrated){
$Replicated = ""
  If($w.Name -contains $ff){
    $Replicated = "True"
    }
  else{
    $Replicated = "False"
    } 
}

## This for some reason is only returning 1 server not all of them
New-Object -TypeName PSObject -Property @{
      Name = $w.Name
      CreationTime = $w.CreationTime
      Cloud = $w.Cloud
      VMHost = $w.VMHost
      Replicated = $Replicated      
      }
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Proper way to correlate winevents

Post by jvierra »

I am sorry but there is no way to understand what you are asking. The information is incomplete and unrelated across your posts.

You need to post a complete and consistent example of what you are doing and the code that fails.

If this is about a specific vendors product then you should post in the vendors forum or ask vendor support for assistance.
User avatar
obrienc
Posts: 59
Last visit: Wed Apr 20, 2022 5:43 am

Re: Proper way to correlate winevents

Post by obrienc »

Clearly, I am using VMM cmdlets to get information then getting winevents and creating a new object. This is a complete example. It's almost working. I am trying to get all the objects into the new-object. Right now its just returning one.
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Proper way to correlate winevents

Post by jvierra »

You have a bunch of pieces of scrips that gather information but they have no way of being correlated. What you are trying to do is unclear.
Either enumerate systems and query related information in a loop or query events and correlate systems in a loop.

You are just creating one object after doing everything else. It is outside of any loop. It must be in the loop to generate an object for each element of the collection.
User avatar
obrienc
Posts: 59
Last visit: Wed Apr 20, 2022 5:43 am

Re: Proper way to correlate winevents

Post by obrienc »

Now that helped.
I have a list of computers from vmm
I have a list of events with computer names
If there is a match its replicated, if not it isnt.

Code: Select all

## returns a list of vms from vmm
$migrated = Get-SCVirtualMachine -VMMServer myvmmserver|where {
    $_.StatusString -eq "Stopped" -and $_.IsHighlyAvailable -eq $false -and $_.Cloud -ne $null
    }

## gives me a list of events that have replicated
$rc = Get-WinEvent @{ 
    LogName = 'ForwardedEvents'; ID = 6150 
    }

## takes the list and extracts the computer names
$ff = @()
foreach($r in $rc){
    [xml]$xmlEvent = $r.ToXml()
    $ph = $xmlEvent.Event.EventData.Data[0] -split 'to '
    $ff += $ph[0].Trim()
}

## compares the 2 lists for a match. If there is a match, the vm replicated, if not it hasnt
ForEach($w in $migrated) {
$Replicated = ""

  If($ff -contains $w.Name){
    $Replicated = "True"
    }
  else{
    $Replicated = "False"
    } 
New-Object -TypeName PSObject -Property @{
    Name = $w.Name
    CreationTime = $w.CreationTime
    Cloud = $w.Cloud
    VMHost = $w.VMHost
    Replicated = $Replicated      
    }
}
Adding New-Object to the last loop returns this as expected.

Code: Select all

Replicated   : True
VMHost       : Host1
Name         : VM1
Cloud        : Bronze
CreationTime : 8/30/2017 10:04:03 AM

Replicated   : False
VMHost       : Host2
Name         : VM2
Cloud        : SQL-Silver-Gen1
CreationTime : 8/23/2017 4:51:07 PM

Replicated   : True
VMHost       : Host3
Name         : VM3
Cloud        : Gold
CreationTime : 8/29/2017 1:58:44 PM
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Proper way to correlate winevents

Post by jvierra »

If that solves your issue then you are set. Good luck.
This topic is 6 years and 6 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked