locked
PowerShell - Mining Remote Event Log / Hanging... RRS feed

  • Question

  • I'm mining remote event logs on multiple machines to find a series of events.  I've put together a script that requests the event log name and start date (earliest date to begin the log export).

    For some reason, the process seems to hang after writing to the file and not proceed to the next machine.

    If someone could peek at this script and tell me if I missed something obvious, I'd greatly appreciate it.

    # Event Log Check # Get list of computers from specified file $machines = get-content -path "C:\Command Prompt\CheckEvent_NETLOGON\ComputerList.txt" $LogName = read-host "Enter Log Name to Query" $startdate = read-host "Enter Start Date (mm/dd/yy)" # Begin Looping through File $count =2 foreach ($machine in $machines) { $enddate = get-date $shortend = get-date -format MM-dd-yy.HH.mm $machinename = (Get-WmiObject win32_computersystem -ComputerName $machine).Name write-host "Starting $machine query." Get-Eventlog -Logname $LogName -ComputerName $machine -after $startdate -before $enddate | select TimeGenerated,MachineName,EventID,Source,UserName | export-csv -delimiter "`t" -path "C:\Command Prompt\CheckEvent_NETLOGON\results\$machinename.$logname.$shortend.ttx" write-host "$machine complete. Next..." $count++ }


    Thanks so much!

    Ben Adler


    • Edited by BAWrites Wednesday, April 1, 2015 6:23 PM Modified Title.
    Wednesday, April 1, 2015 6:23 PM

Answers

  • Try it like this until you understand how it works.

    $machines = get-content -path 'C:\Command Prompt\CheckEvent_NETLOGON\ComputerList.txt'
    $LogName = read-host 'Enter Log Name to Query'
    $startdate = read-host 'Enter Start Date (mm/dd/yy)'
    $enddate=[DateTime]::Today
    $shortend = get-date -format MM-dd-yy.HH.mm
    $machines |
        ForEach-Object{
            write-host "Starting $_ query."
            Get-Eventlog -Logname $LogName -ComputerName $_ -after $startdate -before $enddate | 
            write-host "$_ complete.  Next..."
        } |
        select MachineName, TimeGenerated, EventID, Source, UserName
    


    ¯\_(ツ)_/¯


    • Edited by jrv Wednesday, April 1, 2015 8:57 PM
    • Marked as answer by BAWrites Monday, April 6, 2015 4:45 PM
    Wednesday, April 1, 2015 8:57 PM

All replies

  • Try it like this until you understand how it works.

    $machines = get-content -path 'C:\Command Prompt\CheckEvent_NETLOGON\ComputerList.txt'
    $LogName = read-host 'Enter Log Name to Query'
    $startdate = read-host 'Enter Start Date (mm/dd/yy)'
    $enddate=[DateTime]::Today
    $shortend = get-date -format MM-dd-yy.HH.mm
    $machines |
        ForEach-Object{
            write-host "Starting $_ query."
            Get-Eventlog -Logname $LogName -ComputerName $_ -after $startdate -before $enddate | 
            write-host "$_ complete.  Next..."
        } |
        select MachineName, TimeGenerated, EventID, Source, UserName
    


    ¯\_(ツ)_/¯


    • Edited by jrv Wednesday, April 1, 2015 8:57 PM
    • Marked as answer by BAWrites Monday, April 6, 2015 4:45 PM
    Wednesday, April 1, 2015 8:57 PM
  • I'll give it a go - thanks!

    Wednesday, April 1, 2015 9:30 PM
  • So apparently part of the issue is the "-after" portion of the query.  

    When I change the get-eventlog line to "-newest 2000" rather than using a date range, the loop terminates properly.  

    From what I've read (in research), the -after option will cause the get-eventlog to read the *ENTIRE* event log - even after it gets to the first occurrence of the date specified in -after (I'm assuming, to ensure that there are no out-of-order date stamps).  

    That's clunky when you're trying to pull data from an eventlog on a machine that has a bad network connection / availability.

    That said, your post led me in new directions - and that in its self was the answer.

    Thanks!

    Monday, April 6, 2015 4:50 PM
  • These two lines were wrong:

    $enddate = get-date
    $shortend
    = get-date -format MM-dd-yy.HH.mm

    You may also need to check the date format.

    I would use an interval.  Ask for how many days to retrieve and calculate

    $numdays=7
    $before=[datetime]::Today
    $after=$before.AddDays(-$numdays)

    If you are all Vista or later use Get-WinEvent.  It is faster and indexes most values.


    \_(ツ)_/


    • Edited by jrv Monday, April 6, 2015 4:56 PM
    Monday, April 6, 2015 4:55 PM
  • I wish we were at Windows 7 + - unfortunately these are older retail point of sale machines that use an OS based on XP Embedded.

    But I'll keep the Get-winEvent in mind for the desktop systems.

    Monday, April 6, 2015 9:49 PM