Unable to show Windows Event Source & Username?

Ask your PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 4 years and 2 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked
User avatar
ITEngineer
Posts: 216
Last visit: Thu Mar 23, 2023 5:45 pm
Has voted: 4 times

Unable to show Windows Event Source & Username?

Post by ITEngineer »

Hi All,

I need some help in displaying the Event source & User from the below script to show the summary of Windows Event logs in the past X day.

The below script working fine, it is just the two additional attribute value that is not showing.

Code: Select all

$HtmlHead = @"
<style>
    body {
        font-family: Arial;
    }

    table {
        width: 100%;
        border-collapse: collapse;
        border: 1px solid;        
    }

    th {
        background-color: green;
        border: 1px solid;
        padding: 1px;
    }

    td {
        border: 1px solid;
        padding: 1px;
    }
</style>
"@

$ComputerName = "$ENV:COMPUTERNAME"
$Logs = 'Application', 'System'

$After = (Get-Date).AddDays(-1).Date.ToString('o')
$Before = (Get-Date).Date.AddDays(1).ToString('o')
$Filter = "*[System/Level<4 and System/TimeCreated[@SystemTime > '$After' and @SystemTime < '$Before']]"

foreach ( $LogType in $Logs ) {
    $ResultFile = "C:\temp\$ComputerName-EVENTS-$LogType.html"

    $HtmlDocument = Get-WinEvent -ComputerName $ComputerName -LogName $Logtype -FilterXPath $Filter | Group-Object Message | Sort-Object Count -Descending | ForEach-Object {
        [PSCustomObject]@{
            NumberOfEvents  = $_.Count
            FirstOccurrence = $_.Group[-1].TimeCreated
            LastOccurrence  = $_.Group[0].TimeCreated
            EventId         = $_.Group[0].Id
            Message         = $_.Name
            User            = $_.User
            Source          = $_.Source
        }
    } | ConvertTo-Html -Head $HtmlHead | Out-String

    # Send-MailMessage ... -Body $HtmlDocument -BodyAsHtml
    $HtmlDocument | Out-File $ResultFile
    Invoke-Item $ResultFile
}
Thank you in advance.
/* IT Engineer */
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Unable to show Windows Event Source & Username?

Post by jvierra »

Those names are only part of the individual members of the group. Each group member will be different. You are only enumerating the groups and assuming that a group has more than one member and less than 3 where a group can have any number of members more than one.
The logic and assumptions you are using are faulty and what you are trying to do cannot be done. Rethink your requirements and state them in a way that accounts for the data being returned.

The following will give you something but it won't make much sense:

Code: Select all

            [PSCustomObject]@{
                NumberOfEvents  = $_.Count
                FirstOccurrence = $_.Group[-1].TimeCreated
                LastOccurrence  = $_.Group[0].TimeCreated
                EventId         = $_.Group[0].Id
                Message         = $_.Group[0].Name
                User            = $_.Group[0].User
                Source          = $_.Group[0].Source
            }
User avatar
ITEngineer
Posts: 216
Last visit: Thu Mar 23, 2023 5:45 pm
Has voted: 4 times

Re: Unable to show Windows Event Source & Username?

Post by ITEngineer »

Mr. Vierra,

AFAIK, The filter System/Level<4 means to show any event log with the type of Warning, Error and Critical.

Code: Select all

        Verbose       = 5
        Informational = 4
        Warning       = 3
        Error         = 2
        Critical      = 1
        LogAlways     = 0
Does it mean that it is not possible to add an additional column to shows which service/source of the Event?

I understand that User may not be always populated, hence I can remove that column or member.
/* IT Engineer */
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Unable to show Windows Event Source & Username?

Post by jvierra »

The server is part of the record. Just add it. It is called "MachineName".

Yes I know the levels. They exist in every record. Level < 4 means show all level that are less than 4.

"User" is not part of every event's system properties.

I think you really want "ProviderName" and "UserId"

The following will give you all of the "System" properties.

get-winevent -max 1 | fl *
User avatar
ITEngineer
Posts: 216
Last visit: Thu Mar 23, 2023 5:45 pm
Has voted: 4 times

Re: Unable to show Windows Event Source & Username?

Post by ITEngineer »

jvierra wrote: Thu Jan 09, 2020 5:35 pm The server is part of the record. Just add it. It is called "MachineName".

Yes I know the levels. They exist in every record. Level < 4 means show all level that are less than 4.

"User" is not part of every event's system properties.

I think you really want "ProviderName" and "UserId"

The following will give you all of the "System" properties.

get-winevent -max 1 | fl *
Yes, exactly,

it is working as expected :-)

many thanks for the pointer.
/* IT Engineer */
This topic is 4 years and 2 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked