none
PowerShell: Clearing Contents of a Monitored File RRS feed

  • Question

  • Hey Guys -

    I run VNC servers on many of my lab systems and have written a script which monitors the vncserver.log for two phrases to appear.  Whenever the phrase appears which means a user has connected, the script executes a string to quit and app and whenever a user disconnects, it starts the app back up again plus clears the log file.  If I don't clear the log, each time I restart the script, it triggers all of the historical connections.

    The problem is that I'm having issues clearing the log file.  Using a Clear-Content string works when run by itself, however; when used within the script; fails stating the file is in use.  I thought this was due to the VNC Service, but I finally discovered it was because the script itself was monitoring the file.

    Below is my current script.  What may I do so that it continues to constantly monitor the file (doesn't exit after executing a connect / disconnect string) yet allows me to clear-contents on the log file after every disconnect?

    $targetfile = "C:\ProgramData\RealVNC-Service\vncserver.log"
    Get-Content $targetfile -wait | 
    	ForEach-Object{
    		if($_ -match "Connections: connected") {
    		Stop-Process -Name "InputDirector"
    		}
    		if($_ -match "disconnected") {
    		Start-Process -FilePath "C:\Program Files (x86)\Input Director\InputDirector.exe" -ArgumentList "/hide"
            Clear-Content "C:\ProgramData\RealVNC-Service\vncserver.log"
    		}
    	}

    I suppose I could have a 2nd script stop this one, clear contents, then start it back up every x minutes; but surely there's a better solution. 

    Any suggestions would be appreciated - Thank You


    Ben K.


    Friday, December 20, 2019 10:06 PM

All replies

  • First stopping a process like that is a ver bad idea.

    Second the event log will tell you when a user logs in and a script can be attached to the logon/logoff events.


    \_(ツ)_/

    Friday, December 20, 2019 10:22 PM
  • Thanks for the reply - 

    Well, I actually started with Event Logs, but ran into an issue.  I had the script set up to run in Task Scheduler via a trigger of a matching event.  When testing within ISE, it pulls the last matching event and works great.  However, when running as a task (despite trigger or manual run), nothing happened so went to try the different method.

    As you'll see, I added a line to write a log file when run so I could verify that task scheduler was executing the script plus variables were being set correctly.  When tested, the log was created / appended to and the variable it wrote was correct as well so go figure.  

    Below is the script and task scheduler settings if you have suggestions.  As for the Stop-Process, I know it isn't the ideal method, but put it in for testing and will fine tune after I get the framework to work correctly.

    $logpath = "C:\test7"
    $A = Get-WinEvent -MaxEvents 1  -FilterHashTable @{Logname = "Application" ; ID = "256"}
    $Message = $A.Message
    	ForEach-Object{
    		if($Message -match "Connections: connected") {
    		Stop-Process -Name "InputDirector"
    		}
    		if($Message -match "disconnected") {
    		Start-Process -FilePath "C:\Program Files (x86)\Input Director\InputDirector.exe" -ArgumentList "/hide"
            Out-File -FilePath "$logpath\VNCID.log" -Append -InputObject "The Message variable equals $Message"
            }
    	}

    FYI: The variable $Message returns "Connections: disconnected: 192.168.0.157::49251 (UDP) ([ViewerClosed] VNC Viewer closed)" when run in ISE as well as when logging to file when run manually & grabbing the last matching event.   

    Task Configuration

    Not including trigger config since it failed manually running and when triggered on schedule as well.  Anything not listed is default

    • Run as local admin user on system not joined to a domain
    • Run whether user is logged in or not
    • Run with highest privileges
    • Configure for Windows 10
    • Start a program: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • Arguments: -windowstyle Hidden -File "C:\Scripts\VNCMonitor-EventLog.ps1"
    • Stop if runs longer than 1 hour
    • If already running, queue a new instance

    Although the above settings work in other scheduled tasks I use, I tried a variety of settings with no luck.  I enabled history for tasks and everything for the task looks clean.

    Thanks


    Ben K.

    Saturday, December 21, 2019 7:37 PM
  • Your issue is that you do not understand how to use the event log and task scheduler. To access the security log you must run the task with "Full privileges" and the task account must have access to the file you want to update.  You also need to provide correct error management in your script so that the task history displays the error.

    You code should be attached to the event you want to monitor.  Search for articles that explain how to use this facility of the event log.  The event alerting will be the event you need and no searching for events is needed.

    Start by learning how to use the event log. Creating the event script on the event will schedule it corr4ectly.


    \_(ツ)_/

    Saturday, December 21, 2019 8:43 PM