none
Get-EventLog System -Newest 1 is not giving any output RRS feed

  • Question

  • Note getting any output from below script when I put Newest 1.. but when i remove Newest , i get the output.

    why so..

    I need only latest event id in output

    Get-EventLog System -Newest 1 -ComputerName (Get-Content D:\script\serverlist.txt) | Where-Object {$_.EventID
    -eq 1074} | Select-Object EventID,MachineName,TimeWritten,Message

    Please help or guide me on this


    • Edited by Mr. Raj Thursday, January 8, 2015 3:23 PM
    Thursday, January 8, 2015 3:23 PM

Answers

  • You are requesting the newest entry, but then specifying you want event id 1074. If the newest entry doesn't have event id 1074, the command will return no output.


    -- Bill Stewart [Bill_Stewart]

    Thursday, January 8, 2015 3:29 PM
    Moderator

All replies

  • You are requesting the newest entry, but then specifying you want event id 1074. If the newest entry doesn't have event id 1074, the command will return no output.


    -- Bill Stewart [Bill_Stewart]

    Thursday, January 8, 2015 3:29 PM
    Moderator
  • This is how to do this:
    Get-EventLog System -Newest 1 -ComputerName (Get-Content D:\script\serverlist.txt) -InstanceID 1074} |
        Select-Object EventID,MachineName,TimeWritten,Message


    ¯\_(ツ)_/¯

    • Proposed as answer by jrv Thursday, January 8, 2015 4:52 PM
    Thursday, January 8, 2015 4:52 PM
  • Still not getting ..

    when I am tring .. getting below error :

    Get-EventLog : No matches found
    At line:1 char:13
    + Get-EventLog <<<<  System -Newest 1 -ComputerName (Get-Content D:\script\serverlist.txt) -InstanceID 1074 |Select-Objec
    t EventID
        + CategoryInfo          : ObjectNotFound: (:) [Get-EventLog], ArgumentException
        + FullyQualifiedErrorId : GetEventLogNoEntriesFound,Microsoft.PowerShell.Commands.GetEventLogCommand

    Thursday, January 8, 2015 5:13 PM
  • If there are no instance on any one comoputer then you wil get that.

    Try it like this:

    Get-Content D:\script\serverlist.txt |
       ForEach-Object{
            Write-Host "Querying $_" -fore green
            Get-EventLog System -Newest 1 -ComputerName $_ -InstanceID 1074 -ea 0
       } |
       Select-Object EventID,MachineName,TimeWritten,Message


    ¯\_(ツ)_/¯

    Thursday, January 8, 2015 5:17 PM
  • First, try reading the error message.

    It says: No matches found.


    -- Bill Stewart [Bill_Stewart]

    Thursday, January 8, 2015 5:18 PM
    Moderator
  • If you are using Vista and later you want to use the new log system or you will get issues.  The 1074 message is really a debug message.  It has an instance ID with a flag set.

    Get-WinEvent does not have that issue as MS has fixed the query engine.

    Get-Content computers.txt | %{get-winevent  -FilterHashtable @{Logname='System';ID=1074} -MaxEvents 1 -ComputerName $_}

    This will find the event by ID correctly.


    ¯\_(ツ)_/¯

    Thursday, January 8, 2015 5:58 PM
  • Hi

    Still not getting any data.. script is working fine and no errors found this time..

    See below snapshot.

    First I reboot server and then try to catch event logs..

    Thursday, January 8, 2015 6:04 PM
  • If you have Pre-Vista systems you will have to use Get-Eventlog.  Here is the translated eventID to the diagnostic InstanceID.

    Get-EventLog System -InstanceId 2147484722 -Newest  1

    The number is the decimal representation of the 32 bit hex value: 0x80000432

    PS >'0x{0:x}' -f  1074
    0x432

    PS > '0x{0:x}' -f  2147484722
    0x80000432

    We can't directly use the hex because it converts in int64 and we want Uint32.


    ¯\_(ツ)_/¯

    Thursday, January 8, 2015 6:10 PM
  • Here is one way to seek the instance when it is a debug event.

    $EventID=1074
    $instanceID=[uint32]([uint32]1074 -bor 0x80000000)

    Get-EventLog -LogName System -InstanceID $instanceID -Newest 1

    There is one other mask that should never appear in a production system.  It is used to flag records that are inserted as test records.  THey are ued when we want to test a programms error capabillity but do not want the eventing system to retain them or act on them.  I believe it is 0x40000000.

    We can also cascade ID.

    $EventID=1074
    $instanceID1=[uint32]([uint32]1074 -bor 0x80000000)
    $instanceID2=[uint32]([uint32]1074 -bor 0x40000000)

    Get-EventLog -LogName System -InstanceID $instanceID1,$instanceID2 -Newest 1

    Without the Newest 1 this would return both kinds of records.

    If you can use Get-WinEvent as it mmasks all of these to use true EventID.  It is alos much faster and more flexible.  As soon as WS2003 is ended Get-Eventlog is likely to be marked "Deprecated".

    Get-Content computers.txt |
         ForEach-Object{
              get-winevent  -FilterHashtable @{Logname='System';ID=1074} -MaxEvents 1 -ComputerName $_
         }


    ¯\_(ツ)_/¯

    Thursday, January 8, 2015 6:29 PM
  • I am checking for windows server 2008 r2 servers.

    But I am little surprise here , when I run below PS scirpt, it give me the output as required:

    Import-CSV "D:\script\serverlist.csv" | foreach {
    $serverlist = $_.servername
    Restart-Computer $serverlist -Force
    Get-EventLog -LogName system -newest 1 -computername $serverlist | ? {$_.eventID -eq 1074} | Select MachineName,EventID,TimeWritten,message | Export-csv rebootlist.csv -Notypeinformation
    }

    But the only issue is that I am getting full message details in output..

    I am looking to catch this value "Shutdown Type: restart
    " from message details of event 1074.

    If I can get this, would be great help...

    Thursday, January 8, 2015 6:37 PM
  • That is because you were lucky enough to have that as the first reecord in the system event log. Wait a sheil and it will start failing again.

    Please take some time to learn how the event log works.  It willsave you a lot of pain later.


    ¯\_(ツ)_/¯

    Thursday, January 8, 2015 6:41 PM
  • I am checking for windows server 2008 r2 servers.

    But I am little surprise here , when I run below PS scirpt, it give me the output as required:

    Import-CSV "D:\script\serverlist.csv" | foreach {
    $serverlist = $_.servername
    Restart-Computer $serverlist -Force
    Get-EventLog -LogName system -newest 1 -computername $serverlist | ? {$_.eventID -eq 1074} | Select MachineName,EventID,TimeWritten,message | Export-csv rebootlist.csv -Notypeinformation
    }

    But the only issue is that I am getting full message details in output..

    I am looking to catch this value "Shutdown Type: restart
    " from message details of event 1074.

    If I can get this, would be great help...

    You are now asking a new question.  Please mark the answer that you want or understand and open anew quesitonwith your new issue.


    ¯\_(ツ)_/¯

    Thursday, January 8, 2015 6:41 PM
  • Thanks JRV..

    Its working now..  please see my full script which I am using for reboot logs and event logs to be more sue..

    Please make it more beautiful  and reasonable.. :)

    Import-Csv "D:\script\serverlist.txt" |
    ForEach-Object -Begin {
        "Computer $_ initiated reboot at $(Get-Date)" | Add-Content -Path RebootLog.txt
    } -Process {
        Restart-Computer -Force -ComputerName $_
    } -End {
        Get-Content -Path "D:\gops\serverlist.txt" | ForEach-Object -Begin {
            Start-Sleep -Seconds 60
        } -Process {
            if (Test-Connection $_ -quiet) {"Computer $_ verified to be responding to ping at $(Get-Date)" | Add-Content -Path RebootLog.txt} else {"Computer $_ unresponsive to ping at $(Get-Date)" | Add-Content -Path RebootLog.txt}
        } -End {
        }
    }
    Get-Content D:\script\serverlist.txt |
         ForEach-Object{
              get-winevent  -FilterHashtable @{Logname='System';ID=1074} -MaxEvents 1 -ComputerName $_ | Select MachineName,EventID,TimeWritten,message | Export-csv rebootlist.csv -Notypeinformation
         }


    • Edited by Mr. Raj Thursday, January 8, 2015 6:55 PM
    Thursday, January 8, 2015 6:52 PM
  • To reboot multiple remote serrvers and wait for the reboot use a workflow.  It can do this better than any other method.

    http://technet.microsoft.com/en-us/library/jj574130.aspx

    http://blogs.technet.com/b/heyscriptingguy/archive/2013/01/23/powershell-workflows-restarting-the-computer.aspx


    ¯\_(ツ)_/¯

    Thursday, January 8, 2015 6:59 PM