Remove From My Forums

Remote system event log scanning

Question
0

Sign in to vote

Can someone please point me to how to do this it seems like it should be fairly simple but I am new to this and getting stuck. I am using powerGUI and have tried it in both versions of power shelll.

I would like to scan for event id 7 source disk with a date range of the last week but am having no luck this is what I have so far. All systems are windows xp and I have around 5000 other suggestions would be great. If I can get this working I am sure other event id's would be added in teh future

$ws = Get-Content c:\PSscript\names.txt # contains a list of system names

foreach ($n in $ws) {Get-WMIObject -Class Win32_NTLogEvent -ComputerName $n | where {$_.message | Select-String -Pattern "The device,"}} >> c:\PSscript\errors.csv

here is the error text

Generic failure
At :line:2 char:34
+ foreach ($n in $ws) {Get-WMIObject <<<< -Class Win32_NTLogEvent -ComputerName $n | where {$_.message | Select-String -Pattern "The device,"}} >> c:\PSscript\errors.csv

Monday, August 31, 2009 10:00 PM

Answers

1

Sign in to vote
You may not know this but Get-WMIObject -computername parameter takes an array as input so you can just do this

$ws = Get-Content c:\PSscript\names.txt
Get-WMIObject -Class Win32_NTLogEvent -ComputerName $ws

I would use a WMI filter to reduce the traffic.

Get-WMIObject -Class Win32_NTLogEvent -filter "EventCode = '7'" -computer $ws | ?{$_.Message -match "The Device"}
Brandon Shell [MVP]
- Proposed as answer by BSonPosh Monday, August 31, 2009 10:26 PM
- Marked as answer by BSonPosh Tuesday, September 1, 2009 2:04 PM
Monday, August 31, 2009 10:26 PM

All replies

1

Sign in to vote
You may not know this but Get-WMIObject -computername parameter takes an array as input so you can just do this

$ws = Get-Content c:\PSscript\names.txt
Get-WMIObject -Class Win32_NTLogEvent -ComputerName $ws

I would use a WMI filter to reduce the traffic.

Get-WMIObject -Class Win32_NTLogEvent -filter "EventCode = '7'" -computer $ws | ?{$_.Message -match "The Device"}
Brandon Shell [MVP]
- Proposed as answer by BSonPosh Monday, August 31, 2009 10:26 PM
- Marked as answer by BSonPosh Tuesday, September 1, 2009 2:04 PM
Monday, August 31, 2009 10:26 PM
0

Sign in to vote

Thanks I am now having the problem with "The RPC server is unavailable" on each of the machines but from reading it may be a firewall issue.

Tuesday, September 1, 2009 3:10 PM
0

Sign in to vote

That is most likely the case (the firewall.)

I do generally like to ping the host first (I have a script on my site called Test-Host.)
Brandon Shell [MVP]

Tuesday, September 1, 2009 5:26 PM
0

Sign in to vote

That is most likely the case (the firewall.)

I do generally like to ping the host first (I have a script on my site called Test-Host.)
Brandon Shell [MVP]
Thanks Brandon the interesting thing is if I run this against a single remote system everything works, so it does not seem like the firewall could be doing it. It is only when I try to use a array to store the system names that I start getting the rpc server message, to make it even more interesting even if I populate the $ws variable with just one machine name (the same one I ran it against) it fails. Any ideas? I will redo my testing tomorrow and see what happens maybe I am just mising something obvious like a variable holding onto a list instead of a single value between tests.

Tuesday, September 1, 2009 10:04 PM
0

Sign in to vote

That is a problem in V1 that is fixed in V2. If one host fails it terminates.

Try pinging the collection of hosts first.

i.e. Using my function

$ws = Get-Content c:\PSscript\names.txt | test-host
Brandon Shell [MVP]

Tuesday, September 1, 2009 10:12 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Remote system event log scanning

Question

Answers

All replies