Windows Server TechCenter >
Windows Server Forums
>
Windows PowerShell
>
EventLog Select and Filtering
EventLog Select and Filtering
- I am trying to pull the event log information for exchange 2003 to retrieve a certain error, source and eventid within the last day. It works up the foreach loop! I am trying to pullout only the substring of the email address this should work too. I did the same code on my local machine stripping the website name from the crypt32 error. Can someone take a look at this and see if you notice a mistake! I am new to powershell and very excited in the capabilities it possesses... I really only care for the timewritten and message.
{
$Date = Get-Date
$List = New-Object Diagnostics.EventLog "Application", "ServerName"
$List.Entries | Where-Object {$_.EntryType -eq "Error" -and $_.Source -like "MSExchangeTransport*" -and `
$_.EventId -eq 3005 -and $_.TimeWritten -gt $Date.AddDays(-1).ToShortDateString()} |
Sort-Object TimeWritten -desc | ForEach-Object -Process {
[int]$a = $_.Message.IndexOf("rfc822;") + 7
[int]$b = $_.Message.IndexOf("Domainname.com") - $a
$_.Message.Substring($a, $b)
}
}
Answers
- What error is given when the script fails?
The easiest way of figuring out where the problem is (besides looking at the error message), would be to break the script down some. Try just running the first part of the script directly in powershell (not from the script file).
$List = New-Object Diagnostics.EventLog "Application", "ServerName"
$List.Entries
Does that succeed, or does it give you an error? If it gives you an error, then I'd start with looking into reasons why that would fail (permissions, etc.)
If that works, thene make sure just running:
$Date = Get-Date
$List = New-Object Diagnostics.EventLog "Application", "ServerName"
$List.Entries | Where-Object {$_.EntryType -eq "Error" -and $_.Source -like "MSExchangeTransport*" -and `
$_.EventId -eq 3005 -and $_.TimeWritten -gt $Date.AddDays(-1).ToShortDateString()} |
Sort-Object TimeWritten -desc
doesn't give you an error. If it doesn't, then just check the actual message text for that event and make sure that it will work with your substring filter.
If you let us know what the exact error you receive is, we'll be able to help you out more.
-Dan Holton- Marked As Answer byMervyn ZhangMSFT, ModeratorMonday, November 09, 2009 6:01 AM
All Replies
- Are you able to provide the entire script? I don't quite understand what you mean here "It works up the foreach loop!"...
So you're querying a remote event log? - What error is given when the script fails?
The easiest way of figuring out where the problem is (besides looking at the error message), would be to break the script down some. Try just running the first part of the script directly in powershell (not from the script file).
$List = New-Object Diagnostics.EventLog "Application", "ServerName"
$List.Entries
Does that succeed, or does it give you an error? If it gives you an error, then I'd start with looking into reasons why that would fail (permissions, etc.)
If that works, thene make sure just running:
$Date = Get-Date
$List = New-Object Diagnostics.EventLog "Application", "ServerName"
$List.Entries | Where-Object {$_.EntryType -eq "Error" -and $_.Source -like "MSExchangeTransport*" -and `
$_.EventId -eq 3005 -and $_.TimeWritten -gt $Date.AddDays(-1).ToShortDateString()} |
Sort-Object TimeWritten -desc
doesn't give you an error. If it doesn't, then just check the actual message text for that event and make sure that it will work with your substring filter.
If you let us know what the exact error you receive is, we'll be able to help you out more.
-Dan Holton- Marked As Answer byMervyn ZhangMSFT, ModeratorMonday, November 09, 2009 6:01 AM
- Hi,
Additional, please try:
$entries= $List.Entries | Where-Object {$_.EntryType -eq "Error" -and $_.Source -like "MSExchangeTransport*" -and `
$_.EventId -eq 3005 -and $_.TimeWritten -gt $Date.AddDays(-1).ToShortDateString()} |
Sort-Object TimeWritten -desc
It works fine one my side. Run the following line one by one and let us know the result:
$entries[0].message
$entries[0].message. IndexOf("rfc822;") + 7
$entries[0].message.IndexOf("Domainname.com") - $a
$ entries |ForEach-Object -process { $_.message.substring(1,20)}
Thanks.
Mervyn
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb@microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights. - Hi,
Do you need any other assistance? If there is anything we can do for you, please let us know.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights. - I prefer to use WMI over Diagnostics.EventLog. With Diagnostics.EventLog you cannot filter events on the remote computer. You have to get ALL events over the wire, which is time and memory consuming and also a performance penalty. In addition WMI expose the event InsertionStrings which can help reduce string parsing.
PS > $e = gwmi Win32_NTLogEvent -ComputerName exchnageServer -Filter "logfile='application' and EventCode=3005"
# display the first event InsertionStrings
PS > $e[0].InsertionStrings
4.4.6
rfc822;user@domain.com
CA413C9F696C6948BF45926811703DCC0153A20B@RRAMEXC1.domain.com
# parse the email address
PS > $e[0].InsertionStrings[1].split(";")[1]
user@domain.com
Shay Levy [MVP]
http://blogs.microsoft.co.il/blogs/ScriptFanatic
PowerShell Toolbar
