Ask your PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 4 years and 2 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked
ITEngineer
Posts: 216
Last visit: Thu Mar 23, 2023 5:45 pm
Has voted: 4 times
Post
by ITEngineer » Thu Jan 09, 2020 3:03 pm
Hi All,
I need some help in displaying the Event source & User from the below script to show the summary of Windows Event logs in the past X day.
The below script working fine, it is just the two additional attribute value that is not showing.
Code: Select all
$HtmlHead = @"
<style>
body {
font-family: Arial;
}
table {
width: 100%;
border-collapse: collapse;
border: 1px solid;
}
th {
background-color: green;
border: 1px solid;
padding: 1px;
}
td {
border: 1px solid;
padding: 1px;
}
</style>
"@
$ComputerName = "$ENV:COMPUTERNAME"
$Logs = 'Application', 'System'
$After = (Get-Date).AddDays(-1).Date.ToString('o')
$Before = (Get-Date).Date.AddDays(1).ToString('o')
$Filter = "*[System/Level<4 and System/TimeCreated[@SystemTime > '$After' and @SystemTime < '$Before']]"
foreach ( $LogType in $Logs ) {
$ResultFile = "C:\temp\$ComputerName-EVENTS-$LogType.html"
$HtmlDocument = Get-WinEvent -ComputerName $ComputerName -LogName $Logtype -FilterXPath $Filter | Group-Object Message | Sort-Object Count -Descending | ForEach-Object {
[PSCustomObject]@{
NumberOfEvents = $_.Count
FirstOccurrence = $_.Group[-1].TimeCreated
LastOccurrence = $_.Group[0].TimeCreated
EventId = $_.Group[0].Id
Message = $_.Name
User = $_.User
Source = $_.Source
}
} | ConvertTo-Html -Head $HtmlHead | Out-String
# Send-MailMessage ... -Body $HtmlDocument -BodyAsHtml
$HtmlDocument | Out-File $ResultFile
Invoke-Item $ResultFile
}
Thank you in advance.
/* IT Engineer */
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times
Post
by jvierra » Thu Jan 09, 2020 4:06 pm
Those names are only part of the individual members of the group. Each group member will be different. You are only enumerating the groups and assuming that a group has more than one member and less than 3 where a group can have any number of members more than one.
The logic and assumptions you are using are faulty and what you are trying to do cannot be done. Rethink your requirements and state them in a way that accounts for the data being returned.
The following will give you something but it won't make much sense:
Code: Select all
[PSCustomObject]@{
NumberOfEvents = $_.Count
FirstOccurrence = $_.Group[-1].TimeCreated
LastOccurrence = $_.Group[0].TimeCreated
EventId = $_.Group[0].Id
Message = $_.Group[0].Name
User = $_.Group[0].User
Source = $_.Group[0].Source
}
ITEngineer
Posts: 216
Last visit: Thu Mar 23, 2023 5:45 pm
Has voted: 4 times
Post
by ITEngineer » Thu Jan 09, 2020 5:17 pm
Mr. Vierra,
AFAIK, The filter
System/Level<4 means to show any event log with the type of Warning, Error and Critical.
Code: Select all
Verbose = 5
Informational = 4
Warning = 3
Error = 2
Critical = 1
LogAlways = 0
Does it mean that it is not possible to add an additional column to shows which service/source of the Event?
I understand that User may not be always populated, hence I can remove that column or member.
/* IT Engineer */
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times
Post
by jvierra » Thu Jan 09, 2020 5:35 pm
The server is part of the record. Just add it. It is called "MachineName".
Yes I know the levels. They exist in every record. Level < 4 means show all level that are less than 4.
"User" is not part of every event's system properties.
I think you really want "ProviderName" and "UserId"
The following will give you all of the "System" properties.
get-winevent -max 1 | fl *
ITEngineer
Posts: 216
Last visit: Thu Mar 23, 2023 5:45 pm
Has voted: 4 times
Post
by ITEngineer » Thu Jan 09, 2020 7:25 pm
jvierra wrote: ↑ Thu Jan 09, 2020 5:35 pm
The server is part of the record. Just add it. It is called "MachineName".
Yes I know the levels. They exist in every record. Level < 4 means show all level that are less than 4.
"User" is not part of every event's system properties.
I think you really want "ProviderName" and "UserId"
The following will give you all of the "System" properties.
get-winevent -max 1 | fl *
Yes, exactly,
it is working as expected
many thanks for the pointer.
/* IT Engineer */
This topic is 4 years and 2 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked