none
CITSLibrary.ps1 Get-EventLog No matches found

    Question

  • I think there is an omission in this script, and I of course may be totally wrong. But as near as I can tell, SCOM is letting me know, via warning alerts, that there were no SQL crashes.

    Data was found in the output, but has been dropped because the Event Policy for the process started at 8:13:00 AM has detected errors.  
    The 'StdErr' policy expression:
    	\a+
     matched the following output:
    	Get-EventLog : No matches found
    At C:\Program Files\System Center Operations Manager 2007\Health Service State\
    Monitoring Host Temporary Files 2\3986\CITSLibrary.ps1:622 char:40
    +         $msftesqlCrashes = get-eventlog <<<<  -computername $Server -after $S
    tartTime -logname "Application" -source $msftesqlServiceName | where {$_.eventI
    d -eq $msftesqlCrashEventId}
        + CategoryInfo          : ObjectNotFound: (:) [Get-EventLog], ArgumentExce 
       ption
        + FullyQualifiedErrorId : GetEventLogNoEntr
    
    
    Command executed:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& '.\ExecuteDiagnosticScript.ps1' -MonitoringDataSource 'MSExchange Monitoring Troubleshoot-CI' -MaxStartDelaySeconds '15' -DiagnosticScriptName '.\Troubleshoot-CI.ps1' -DiagnosticScriptArguments '-Action DetectAndResolve -MonitoringContext'"
    Working Directory:	C:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 2\3986\

    The bolded and underlined Get-Eventlog: No Matches Found is where I think the problem is. I believe I'm getting this because there were no errors logged. The code is nested in a try/catch

        # Check if we have any msftesql crashes in the past N minutes
        #
        try
        {
            $msftesqlCrashes = get-eventlog -computername $Server -after $StartTime -logname "Application" -source $msftesqlServiceName | where {$_.eventId -eq $msftesqlCrashEventId}
        }
        catch [System.Exception]
        {
            $msftesqlCrashes = $null
        }

    I'm wondering if perhaps the catch is too broad, or if I'm just missing something here. Also this is worth noting, the error is ocurring on a Mailbox server and as near as I can tell I don't see the SQL service running on it, but I'm not a mail admin and am still waiting for him to get in to confirm this. I also note that when I run this manually I get the same issue.

    Get-EventLog -LogName 'Application' -Source 'msftesql-exchange' | where {$_.eventId -eq 1053}
    
    Get-EventLog : No matches found
    At line:1 char:13
    + Get-EventLog <<<<  -LogName 'Application' -Source 'msftesql-exchange' | where {$_.eventId -eq 1053}
        + CategoryInfo          : ObjectNotFound: (:) [Get-EventLog], ArgumentException
        + FullyQualifiedErrorId : GetEventLogNoEntriesFound,Microsoft.PowerShell.Commands.GetEventLogCommand

    Any help or advice would be greatly appreciated, while I dont mind clearing these out, if this starts become a regular occurence, it might be nice to know how to either adjust the script to not get these errors, or figure out some rule to auto-clear them.

    Thanks,


    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Monday, June 11, 2012 2:50 PM

All replies

  • I didn't write these functions, they came with the Exchange 2010 MP.

    And no, when run manually they error out in much the same way.


    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Tuesday, June 12, 2012 3:42 PM
  • My apologies for overlooking some of your information, I am a bit more awake now :s

    I added '$ErrorActionPreference = "stop"' before the 'get-eventlog' line and the exception did not occur anymore. Depending on wether any other important code runs after the troublesome section, you could use 'SilentlyContinue' instead of 'Stop'.

    The best solution however is an MP update from Microsoft, as this classifies as a bug in my opnion.

    Tuesday, June 12, 2012 4:00 PM
  • No worries :) and I totally agree, which is why I posted this...rather hoping someone from Microsoft will see this.


    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Tuesday, June 12, 2012 4:01 PM
  • I am getting the same error as well from the Exchange 2010 MP. I took a look at this rather lengthy script and my powershell isn't super-strong but it appears there may be a problem with the logic. If you drill into it the management pack copies a number of ps1 files into a directory like "C:\Program Files\System Center Operations Manager\Agent\Health Service State\Monitoring Host Temporary Files 15762\1787". The script that is called is: '.\ExecuteDiagnosticScript.ps1' -MonitoringDataSource 'MSExchange Monitoring Troubleshoot-CI' -MaxStartDelaySeconds '15' -DiagnosticScriptName '.\Troubleshoot-CI.ps1' -DiagnosticScriptArguments '-Action DetectAndResolve -MonitoringContext'.

    This ExecuteDiagnosticScript.ps1 calls/refers other scripts in that directory including CITSLibrary.ps1 which on line 622 has the problem you referred to

    try
       
    {
            $msftesqlCrashes
    = get-eventlog -computername $Server -after $StartTime -logname "Application" -source $msftesqlServiceName | where {$_.eventId -eq $msftesqlCrashEventId}
       
    }
       
    catch [System.Exception]
       
    {
            $msftesqlCrashes
    = $null

    This I can run and get the "no matches" result which is what the error seems to be when seen in the alert context. So I have no put the time into putting together how all these scripts work but it appears somewhere there is likely a bug such that a return of no matches/errors for this event actually causes a false positive. Someone with more time and more powershell skill than me should be able to figure it out but then again, that's MS' job.

    Searching on the topic did turn up some people complaining of McAfee causing problems but I have no AV on my server which is a pretty plain/new server.

    Tuesday, August 14, 2012 10:19 PM
  • @Peteski Thanks for poking around at this, but the code you mention is my second example in the original post. Like I said and you confirm as well as Jan, this is most likely an oversight in the code, something Microsoft missed.

    Hopefully an updated MP will come out soon, but I'm not holding my breath ;-)


    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Wednesday, August 15, 2012 1:41 PM