Get-EventLog "-source" parameter not working for some events
-
1. května 2012 20:10
I have a script the scans events logs and send out an email on various criteria. I am trying to use this now for an application called Acronis True Image Echo Server. However, it appears this application is not writting the "source" field properly in the eventlog on Windows 2008.
If I run this:
get-eventlog -entrytype "Information" -Logname "Application | where {$_.EventID -eq 6}
if finds the two Acronis events and actually shows the "Source" column as being "Acronis True Image Echo Server". But if I try to then filter on that field using either the -Source option or a "where-object" filter, they both fail to find those events.
get-eventlog -entrytype "Information" -Logname "Application -Source "Acronis True Image Echo Server" //this fails to find any events
get-eventlog -entrytype "Information" -Logname "Application | where {$_.Source -eq "Acronis True Image Echo Server"} //this also fails to find any events
When I look at the XML data for the event, there is no "source" field but rather has something called "Provider Name" which matches what PowerShell returns as "Source":
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Acronis True Image Echo Server" />
<EventID
Qualifiers="0">6</EventID>
<Level>4</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-05-01T18:47:34.000000000Z" />
<EventRecordID>80977</EventRecordID>
<Channel>Application</Channel>So is PS doing some wierd translation of the Provider Name field to the Source field, but somehow the Source field is still empty when you try to filter on it? How would I filter on "Provider Name" if that case? Other that using Get-WinEvent (I am trying to avoid re-writting my script if possible to a Get-WinEvent version).
Thanks
Nelson
Všechny reakce
-
1. května 2012 20:33
Seems odd. I wonder if there may be some hidden characters embedded in the source field from that application. Try setting the where filter to "-like "*acronis*true*image*echo*server*", or perhaps just "*acronis*".
Al Dunbar
- Označen jako odpověď Nelson K 1. května 2012 21:10
-
1. května 2012 21:05
Yeah - good idea. I was thinking about that too...like an extra space at the end of the text or something like that. I will go ahead and test out your idea.
Thanks for the suggestion.
Nelson
-
1. května 2012 21:09
Sure enough...this works:
get-eventlog -entrytype "Information" -Logname "Application" | where {$_.Source -like "Acronis*"}
Thanks so much for the suggestion.
Nelson
-
1. května 2012 21:25
Sure enough...this works:
get-eventlog -entrytype "Information" -Logname "Application" | where {$_.Source -like "Acronis*"}
Thanks so much for the suggestion.
Nelson
You're welcome.
As an aside, it occurs to me that it might be more efficient to have get-eventlog filter the results, rather than accepting all of the events and ignoring those that don't match. The "source" parameter accepts wildcards, so this might work as well for you (or even better):
get-eventlog -entrytype "Information" -Logname "Application" -source Acronis*
I have often filtered events from remote servers using where {$_.message -like "*$UserAccount*"}. But this is time consuming, especially when done remotely.
Thanks to thie thread I have had another look at the help, and found that get-eventlog also has a -message parameter that accepts wildcards! Time to do some timing tests... ;-)
Al Dunbar
-
1. května 2012 21:27
LOL - I actually discovered I could wildcard the -Source parameter right before you posted. So I beat you to it.
Nelson
.png)
