Powershell Get-Eventlog to export logs based on target machine

Similar Messages

• I have a MBP runing 10.8.5 just downloaded QT 7 with pro licence. how do i now get QT7 to export at Prores... machine says proappsQTcodecs wont load to disk

  need advice on how to use QT7 to export to ProRes
  the prores codec is not available ---
  My MBP lost its HDD a month ago and i am trying to get back to where we were previous...

  The following entry may indicate a failing harddrive, so doing backups and replacing the harddrive may be in order.
  Disk Information:
            TOSHIBA MK7559GSXF disk0 : (750,16 GB)
            S.M.A.R.T. Status: Failing                                  <-----------
  A little bit about drive S.M.A.R.T. status:
  "The most basic information that SMART provides is the SMART status. It provides only two values: "threshold not exceeded" and "threshold exceeded". Often these are represented as "drive OK" or "drive fail" respectively. A "threshold exceeded" value is intended to indicate that there is a relatively high probability that the drive will not be able to honor its specification in the future: that is, the drive is "about to fail". The predicted failure may be catastrophic or may be something as subtle as the inability to write to certain sectors, or perhaps slower performance than the manufacturer's declared minimum."
  http://en.wikipedia.org/wiki/S.M.A.R.T.

• PowerShell Get Event log and using the message argument and SLOW speed

  The problem with get eventlog is it is god awful slow.
  Everyone wants you to pipe the results to a where statement which makes it 100x slower expressly when there is already a –message argument there.
  Problem is I am having little luck. Still taking 30 minutes or more and not producing any results even when looking for a computer I know is there
  Can you confirm the syntax is correct for this? If it is correct how do I make this usable?
  Thanks
  $before = (Get-Date).AddMinutes(-30)
  $after = (get-date).AddMonths(-1)
  $before
  $after
  Get-EventLog -LogName Security -ComputerName MSDCSERV02 -Before $before -Newest 2 -Message "*W410South$*"
  Lishron

  i know you are trying to give me the answer but i guess i am to stupid on this one.
  I am working with google and the help file.  Need to learn it better did not even know about -par 
  if i type (see below)
  If replace the word User or Computer with the actual name i need to find i get a big fat error that says I am  to stupid.  
  Get-WinEvent -ComputerName MSDCSERV02 -FilterHashTable @{Logname='Security';Data="Computer"
  # Or
  Get-WinEvent -ComputerName MSDCSERV02 -FilterHashTable @{Logname='Security';Data="User"
  # Both work
  Lishron

• How to stop get-eventlog command if it finds a hit in the date range... w/o scanning the whole thing first :-/

  Hi All, 
  I have a nice little PowerShell function that is scrubbing the eventlog for a 'positive' hit under a certain error code for each user in a defined window. 
  basically we are looking to see if they are still logging into OCS...
  Since it takes what seems like an eternity to scan the whole security log per the 'get-eventlog' statement and then evaluate it it is $true or not... i would like it to break out as soon as it finds one hit without going all the way back x days unless it
  has to.
  have been trying to use this for testing... with no avail
  if (Get-EventLog -LogName Security -ComputerName myOCSserver -after $date -InstanceId 540 -UserName "domain\myuser") {
  Write-Host -ForegroundColor Green "UserName found!... Check Passed"
  }Else {
  Write-Host -ForegroundColor Cyan "UserName not found... delete this account"
  if i run the command it will start writing each hit to the screen... i just need it to stop scanning if it finds one but not sure how to break out and now do an action since it is $true... (or $false) :)
  Thanks in advance!!!

  I'm not sure i'm understanding this correctly but i'm assuming you only care if one shows up in there at all. If so this might speed things up depending on where in the log the first entry is.
  Get-EventLog -LogName
  Security -ComputerName myOCSserver
  -after $date -InstanceId
  540 -UserName "domain\myuser" | select -first 1

• Strange Get-EventLog Error

  Hi, Scripting guru!
  I try to execute command:
  Get-EventLog-LogNameSecurity-Newest5
  And get error:
  Get-EventLog : Log "Security" could not be read to completion due to the following error.
  This may have occurred because the log was cleared while still being read.
  Index nnnnnnn is out of bounds.
  Security log is ok, there is a lot of events, I launch Powershell with RunAsAdministrator
  rights, but still get that error.
  Can someone help me with that error?

  What version of PowerShell and OS are you running this on and against? How quickly do your logs roll over? I know security logs have a tendency to fill up fast if you are auditing a lot of things and the max size is low.
  I think you right about problem in Security Log itself. It was larger size, that it can be, and in bottom of the log I saw some "Deleted events". When I cleaned log, commandlet Get-EventLog works fine!
  So, I still have one question - why that bloated Security Log open fine with MMC console Event Viewer and get error with PoSH commandlet?
  Not a scripting question.
  Post in the OS forum for your OS for information on how to manage event logs.  They can also help you to diagnose your system and files system which may have issues.
  ¯\_(ツ)_/¯

• Get-eventlog

  I'm trying to read the last 7 days of relevant Security log entries on one of my DCs and I'm getting the following error. Is there a way to accommodate all the data that's being returned? I don't explicitly declare $eventlog as a particular variable type.
  Clear-Variable -name eventlog
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : ObjectNotFound: (eventlog:String) [Clear-Variable], ItemNotFoundException
      + FullyQualifiedErrorId : VariableNotFound,Microsoft.PowerShell.Commands.ClearVariableCommand
  Get-EventLog : Log "Security" could not be read to completion due to the following error. This may have occurred because the log was cleared while still being read. Index 81445 is out of
  bounds.
  At D:\tsg\Documentation\Powershell Repository\adaudit.ps1:163 char:13
  + $eventlog = Get-EventLog -LogName ‘Security’ -ComputerName $domaincontroller -In ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : ReadError: (:) [Get-EventLog], ArgumentException
      + FullyQualifiedErrorId : LogReadError,Microsoft.PowerShell.Commands.GetEventLogCommand
  Get-EventLog : No matches found
  At D:\tsg\Documentation\Powershell Repository\adaudit.ps1:163 char:13
  + $eventlog = Get-EventLog -LogName ‘Security’ -ComputerName $domaincontroller -In ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : ObjectNotFound: (:) [Get-EventLog], ArgumentException
      + FullyQualifiedErrorId : GetEventLogNoEntriesFound,Microsoft.PowerShell.Commands.GetEventLogCommand
  ...and here's a snippet of the relevant code:
  foreach ($domaincontroller in $domaincontrollers){
  Clear-Variable -name eventlog
  #517,624,626,630,632,633,634,636,637,642,644,660,661,671
  $eventlog = Get-EventLog -LogName ‘Security’ -ComputerName $domaincontroller -InstanceId 1102,4720,4722,4726,4728,4729,4730,4732,4733,4738,4740,4756,4757,4767 -After ((Get-Date).AddDays(-7)) | select TimeGenerated,InstanceID,Message
  # ---- Members added to Domain Local Groups ----
                  $MyReport += Get-CustomHeader "1" "Members added to Domain Local Groups on domain controller $domaincontroller"
                          $MyReport += Get-HTMLTable ($eventlog | Where-Object {$_.InstanceID -eq "4732"} | select TimeGenerated,Message 
                  $MyReport += Get-CustomHeaderClose
  $MyReport += Get-CustomHeader0Close
  $MyReport += Get-CustomHTMLClose
  Thanks in advance,
  Greg

  I ended up re-rewriting the get-eventlog line and I used the get-winevent statement with a hashtable filter instead. The processing time went from 647seconds to 4seconds against 1 DC with the new code. Additionally, the error about the Index bounds disappeared:
  $days=((Get-Date).AddDays(-7))
  foreach($domaincontrollerin$domaincontrollers){
  $eventlog
  =
  Get-WinEvent
  -ComputerName
  $domaincontroller
  -FilterHashtable@{Logname='Security';
  ID=@(1102,4720,4722,4726,4728,4729,4730,4732,4733,4738,4740,4756,4757,4767);
  StartTime=$days}|
  select
  TimeCreated,ID,Message
  #do formatting stuff here

• How to get SSO userid to URL-based app?

  I'm developing a web-app using Struts that will be accessed by Portal (I guess as a URL-based app). The web-app will not require login. The web-app will not be Portal "aware", except that it requires the SSO userid for auditing/logging purposes.
  I know little about Portal and SSO. How can Portal be configured to send the Portal userid of the logged-in Portal user? Can it send it as a parameter in a GET or POST?
  The version of Portal will be 9.0.2 (or greater).

  This topic is answered in the PDK forum here:
  How to get SSO userid to URL-based app?

• How to get the most current file based on date and time stamp using SSIS?

  Hello,
  Let us assume that files get copied in a specific directory. We need to pick up a file and load data. Can you guys let me know how to get the most current file based on date and time stamp using SSIS?
  Thanks
  thx regards dinesh vv

  hi simon
  i excuted this script it is giving error..
     Microsoft SQL Server Integration Services Script Task
     Write scripts using Microsoft Visual C# 2008.
     The ScriptMain is the entry point class of the script.
  using System;
  using System.Data;
  using Microsoft.SqlServer.Dts.Runtime;
  using System.Windows.Forms;
  namespace ST_9a6d985a04b249c2addd766b58fee890.csproj
      [System.AddIn.AddIn("ScriptMain", Version = "1.0", Publisher = "", Description = "")]
      public partial class ScriptMain : Microsoft.SqlServer.Dts.Tasks.ScriptTask.VSTARTScriptObjectModelBase
          #region VSTA generated code
          enum ScriptResults
              Success = Microsoft.SqlServer.Dts.Runtime.DTSExecResult.Success,
              Failure = Microsoft.SqlServer.Dts.Runtime.DTSExecResult.Failure
          #endregion
          The execution engine calls this method when the task executes.
          To access the object model, use the Dts property. Connections, variables, events,
          and logging features are available as members of the Dts property as shown in the following examples.
          To reference a variable, call Dts.Variables["MyCaseSensitiveVariableName"].Value;
          To post a log entry, call Dts.Log("This is my log text", 999, null);
          To fire an event, call Dts.Events.FireInformation(99, "test", "hit the help message", "", 0, true);
          To use the connections collection use something like the following:
          ConnectionManager cm = Dts.Connections.Add("OLEDB");
          cm.ConnectionString = "Data Source=localhost;Initial Catalog=AdventureWorks;Provider=SQLNCLI10;Integrated Security=SSPI;Auto Translate=False;";
          Before returning from this method, set the value of Dts.TaskResult to indicate success or failure.
          To open Help, press F1.
          public void Main()
              string file = Dts.Variables["User::FolderName"].Value.ToString();
              string[] files = System.IO.Directory.GetFiles(Dts.Variables["User::FolderName"].Value.ToString());
              System.IO.FileInfo finf;
              DateTime currentDate = new DateTime();
              string lastFile = string.Empty;
              foreach (string f in files)
                  finf = new System.IO.FileInfo(f);
                  if (finf.CreationTime >= currentDate)
                      currentDate = finf.CreationTime;
                      lastFile = f;
              Dts.Variables["User::LastFile"].Value = lastFile;
              Dts.TaskResult = (int)ScriptResults.Success;
  thx regards dinesh vv

• Get data in a subreport based on a shared variable from the main report.

  Goodd morning,
  My question/problem is how to manage this scenario.
  I am transfering 2 shared variables (pereiod from /period To, ) from the main report to a subreport and now  i would like to get data in this subreport based on these 2 variables...
  The problem is that i can not find the shared one in select expert icon...
  Could anyone point me to solve this issue?
  Thks for any help.
  Jose Marin
  Crystal Report XI SR3

  Hello Jos,
  I recommend to post this query to the [Crystal Reports Design|SAP Crystal Reports; forum.
  This forum is dedicated to topics related to the creation and design of Crystal Report documents. This includes topics such as database connectivity, parameters and parameter prompting, report formulas, record selection formulas, charting, sorting, grouping, totaling, printing, and exporting but also installation and registering.
  It is monitored by qualified technicians and you will get a faster response there.
  Also, all Crystal Reports Design queries remain in one place and thus can be easily searched in one place.
  Best regards,
  Falk

• Implement log based change data capture

  Hi,
  I am trying to get log based change data capture to work . My ODI version is 11.1.1.5. I guess for log based there are 2 ways:
  1) use streams
  2) use log miner tool
  My database is Oracle 11g Express Edition. Streams i know can be possible only in enterprise edition of Oracle. So can anyone tell me how to implement log based CDC then since logminer tool is not preferred to be used in 11g

  Hi,
  Thanks for ur reply...
  I received an error while creating the change table ..
  ORA-29540: class oracle/CDC/PublishApi does not exist
  ORA-06512: at "SYS.DBMS_CDC_PUBLISH", line 298
  Canu pls help me to fix this..
  by,
  Nagaa

• Clone from standby  ended in ARC: Cannot archive online log based on backup

  Hi
  I m into scenario where my prod db is in one data center and standby is in other data center.
  Both are geographically separated. I have to get a copy of prod on to standby data center side.
  Sending data over the network is taking long time either with duplicate db from active db or take backup and copy over standby side and restore it.
  so i thought of duplicate db from standby db which is in same data center, using 11g RMAN duplicate from active standby command.
  I have simulated scenario which is as below
  oracle version 11.2.0.1
  os version REHL 5.4
  My procedure & parameter are as below.
  on standby side from where i m copying (TARGET)
  1) on standby
  alter database recover managed standby db cancel;
  2)alter database convert to snapshot standby;
  which gave me
  /u01/data/DGSTD/archive/1_152_750425930.dbf
  /u01/data/DGSTD/archive/1_153_750425930.dbf
  */u01/data/DGSTD/archive/1_1_752604441.dbf*
  */u01/data/DGSTD/archive/1_2_752604441.dbf*
  3) alter database open;
  4) alter system switch logfile;
  now from rman
  RMAN> connect target sys/system@DGSTD
  connect auxiliary sys/system@GGR
  connected to target database: DGPRM (DBID=578436102)
  RMAN>
  connected to auxiliary database: NOTREAL (not mounted)
  RMAN>
  run{
  allocate channel prmy1 type disk;
  allocate channel prmy2 type disk;
  allocate channel prmy3 type disk;
  allocate channel prmy4 type disk;
  allocate channel prmy5 type disk;
  allocate auxiliary channel stby1 type disk;
  duplicate target database to ggr from active database
  spfile
  parameter_value_convert='DGSTD','GGR','/u01/data/DGSTD/','/u01/data/ggr/'
  set db_file_name_convert='/u01/oradata/DGSTD/','/u01/data/ggr/'
  set log_file_name_convert='/u01/oradata/DGSTD/','/u01/data/ggr/'
  set 'db_unique_name'='ggr'
  set 'audit_file_dest'='/u00/app/oracle/admin/ggr/adump'
  set 'sga_max_size'='140m'
  set 'pga_aggregate_target'='28940697'
  nofilenamecheck;
  and when output of rman reaches up below
  Starting backup at 31-MAY-11
  channel prmy1: starting datafile copy
  input datafile file number=00001 name=/u01/data/DGSTD/datafile/system01.dbf
  channel prmy2: starting datafile copy
  input datafile file number=00002 name=/u01/data/DGSTD/datafile/sysaux01.dbf
  in alert log of clone db it gives massive error saying
  ARC3: Cannot archive online log based on backup controlfile
  ARC2: Cannot archive online log based on backup controlfile
  ARC3: Cannot archive online log based on backup controlfile
  ARC2: Cannot archive online log based on backup controlfile
  and it fill up whole fs. and finally duplicate command throws error.
  not sure what i m missing of inside duplicate command or is it valid to duplicate database from snapshot standby.
  can somebody light on it please
  Edited by: user12281508 on Jun 1, 2011 10:26 AM
  Edited by: user12281508 on Jun 1, 2011 10:28 AM

  duplicate target database to ggr from active database
  spfile
  parameter_value_convert='DGSTD','GGR','/u01/data/DGSTD/','/u01/data/ggr/'
  set db_file_name_convert='/u01/oradata/DGSTD/','/u01/data/ggr/'
  set log_file_name_convert='/u01/oradata/DGSTD/','/u01/data/ggr/'
  set 'db_unique_name'='ggr'
  set 'audit_file_dest'='/u00/app/oracle/admin/ggr/adump'
  set 'sga_max_size'='140m'
  set 'pga_aggregate_target'='28940697'
  nofilenamecheck;
  }I think you should use standby cluase as
  DUPLICATE TARGET DATABASE TO dup1 FOR STANDBY FROM ACTIVE DATABASE;

• Wsusutil Export Log failed

  Hello Forum
  Downstreamserver on 2008 R2 with WSUS 3.0 SP2.
  Windows WID DB
  Now i will export my DB to an Replica Server with wsusutil.exe export export.cab export.log  aftersome minutes
  the process broke up with Error. In the export.log file (30MB) i found:
  "RevisionNumber="200" Title="Office 2013 Farm Servers"><Files /></Update><ExportError Message="Error in Application." /></ExportLog>"
  I have no clue, i hope someone can help!
  Greets
  Sven

  actually is my
  task to bring the wsus content from the Downstreamserver to the Replica.
  Because the content is 100GB big. How is the best way to do this?
  Well.. the BEST way to do this is first do maintenance on the source server so that you don't have 100GB of files.
  Second, if the server you're wanting to import to is a DISCONNECTED server, then you can use this process, but if it is a REPLICA server that is assigned to an upstream server and has a network connection, then you cannot.
  This has to do with the difference between a REPLICA server and an AUTONOMOUS server. The procedure for Disconnected Networks (which involves the use of the wsusutil export and wsusutil import tools), requires that both servers are AUTONOMOUS servers. Ergo,
  you cannot 'import' into a REPLICA server. A replica server must get target groups and approvals from the upstream server; a wsusutil export does not export target groups and approvals, and you cannot approve updates on a REPLICA server.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• VB Scripting to monitor application event log based on specific words.

  Hi All,
  I Have written, vb script to monitor application event log based on specific word in the message. when I have included same script in monitor, after running this script at specific time once in day, I am getting run time error in the server, where it
  supposed to run, could you please check the command where I have highlighted in below script.
  Dim VarSize
  Dim objMOMAPI
  Dim objBag
  Set objMOMAPI = CreateObject("MOM.ScriptAPI")
  Set objBag = objMOMAPI.CreateTypedPropertyBag(StateDataType)
  Set objFSO = CreateObject("Scripting.FileSystemObject")
  Const CONVERT_TO_LOCAL_TIME = True
  Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
  dtmStartDate.SetVarDate dateadd("n", -1440, now)' CONVERT_TO_LOCAL_TIME
  strComputer = "."
  Set objWMIService = GetObject("winmgmts:" _
   & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
  Set colLoggedEvents = objWMIService.ExecQuery _
   ("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Application' AND " _
   & "EventCode = '100'")
  For Each objEvent in colLoggedEvents
  If InStr(LCase(colLoggedEvents.Message), "Message :Application A3 has been successfully processed for today") Then
  X= "Success"
  end if
  Next
  if X="Success" then
  call objBag.AddValue("State","GOOD")
  call objMOMAPI.Return(objBag)
  wscript.quit()
  Else
  call objBag.AddValue("State","BAD")
  call objMOMAPI.Return(objBag)
  wscript.quit()
  End If

  By programming standards since as long as I can remember the use of the value of a variable to detect its Boolean state has been used.
  Cast your mind back to strongly typed languages, e.g. Pascal.
  I'll cast back to the very early days of the "C" language where all variables could be treated as "bool" without a cast. The is no more strongly type language than "C". "C" practically invented the standards for all modern languages. 
  When I was writin machine language we also used zero as false but many machines only  tested the high bit for truthieness.  The HP machines and Intel allowed a test to aggregate to the sign bit.  Adding that flag to the test alloed tru for
  an numeric value that was non-zero.  A boool test was also used for a negative e switch.  If you study micro language implementation you will find that this hardware design and the companion compiler design is ... well... by design.  It is a
  way of improving the completeness and usefulness of an instruction set.
  Other langauges may require further decoration due to some mistaken desire to be better than perfect. That is like trying to change number theory by renaming addition to be "gunking" and forcing everyone to use multiplication when adding the same number
  more than once.  A Boolean test os a test of the flag bit with to without aggregation.    Even if we test a bit in a word we still mask and aggregate.  It is always the most primitive operation.  It is also the most useful
  operation when you finally realize that it is like an identity in math.
  Use the language features that are designed in. They can help to make code much more flexible and logical.
  By the way, Pascal also treats everything as Boolean when asked to.
  ¯\_(ツ)_/¯

• Export log file send through email

  Hi,
  Basically i send the export log file from the database to my inbox(outlook express). Please let me know how can i send the log from the oracle 9i rel 2 database.
  Thanks
  Noman Nishat

  I didn't get your point. Can you send me the steps of this. I am using windows 2000 Advance Sever. The export parameter are
  USERID=username/password@service
  FILE=c:\Export_live\live.dmp
  ROWS=Y
  OWNER=live
  INDEXES=Y
  LOG=c:\Export_Log\live.log
  Now the log file is genrated on (C drive). I need to send this log file to my inbox(outlook express) i.e [email protected]
  I hope that time you better understand that what i want ?

• PowerShell - Get-MessageTrackingReport how to specify start and end time of current process

  could you please help me? I need to specify start and end time of current process with Get-MessageTrackingReport command. I know you
  can do it with Get-MessageTrackingLog:
  $start = (Get-Date).Addhours(-1)
  $end = (Get-Date)
  Get-MessageTrackingLog -EvenId Receive -Start $start -End $end
  But for my purposes I really need to do it with Get-MessageTrackingReport command, so how can I do it?
  Thanks in advance!

  That's not the context you would use
  Get-MessageTrackingReport in,
  Get-MessageTrackingReport is used to get extra information on messages that you have found in the MessageTracking log using Search-MessageTrackingReport . That's why the most common example you see will look like
  $Temp = Search-MessageTrackingReport -Identity "David Jones" -Recipients "[email protected]"
  Get-MessageTrackingReport -Identity $Temp.MessageTrackingReportID -ReportTemplate Summary
  The most important parameter for that cmdlet and the reason it won't work like your trying to use it is the
  Identity ""The Identity parameter specifies the ID of the message tracking report ID to retrieve.You should run the Search-MessageTrackingReport cmdlet
  to find the message tracking report ID for the specific message you're tracking, and then pass the value of the MessageTrackingReportID field
  to this parameter." see http://technet.microsoft.com/en-us/library/dd351082%28v=exchg.150%29.aspx
  It's more appropriate to use Get-MessageTrackingLog when you want to search the log based on time or use
  Search-MessageTrackingReport and then limit the results this returns before you pass the MessageTrackingReportId to get-MessageTrackingReport
  Cheers
  Glen