PS script to save event logs

Hi,
I want to create a PS script which will pick the server name from a text file and save the event logs one by one of all the server with server name in a shared folder in network
For this I tried to create below code, but not successful. I know there are some silly mistake in this code which i m not able to identify
Please help me because I’m new in scripting and have very little knowledge about this.
==================
$Computer_Name = Get-Content \\sharepath\name.txt
$logfile = ForEach ($Computer_Name)
Get-WmiObject -Class win32_NTEventlogFile -Filter "logFileName='Application'"
$logfile.ClearEventlog('Sharepath\%computername%_Application_Logs.evt')
========================

Thanks !!!
The share path is working fine.
If I am running the below script it will save the logs files of local computer to the shared drive with computer name.
==============
$logfile = Get-WmiObject -Class win32_NTEventlogFile -Filter "logFileName='Application'"
$logfile.ClearEventlog('\\sharepath\%computername%_Application_Logs.evt')
================
Now, I want to create a script which will pick the server name from a text file and save that to a shared folder with respective computer name.
Also, is there any way to SAVE AS the log files rather than clearing the logs ?
You can export the logs using Get-EventLog and Export-Csv Get-EventLog can specify a filter of -after and -before to set a date range.
Help get-eventlog -full
You can specify an array or file of computer names on the commandline. You can specify credentials on the commandline.
You can also save eventlogs in their entirety but that is not a good practice as it produces too much overlap.
I suggest that weekly extractions ican be managed on an overnight basis. Monthly extracts are likely to take too much time.
LogParser is much better at extracting Eventlogs in many formats.
Logs should beset to rol lover on a size basis. I use 32 and 64 megabytes on bsic systems and much larger on busier systems. like to have a year online if possible.
¯\_(ツ)_/¯

Similar Messages

"Error while attempting to save event log" On VPN3000

My VPN have started to e-mail the following problem.
54438 03/29/2008 14:55:06.660 SEV=2 EVENT/14 RPT=288
Error while attempting to save event log (operation: fopen, code:
Anybody have any idears, I have tried to reboot but need not fix anything.
When I try click on "Save Needed", I get the following errror "Unable to Save
File Write Error".
I can see that my event log is getting updated with other stuff like "IKEDBG/79" - "Phase 1 failure against global IKE proposal".

Try re-naming the existing files, and then do the save. I had a similar problem, and I think it was a corrupt file that the system could not overwrite, but could rename. Then you can delete the old one.

Script to Export Pervious Day Events Logs to CSV

HI,
I am trying to export all the previous day's application event logs to a CSV file. I found the following script on net. But for this script to work I need to enter in the Event ID's I wont to export. Does anyone have any idea how I can change thsi script
to export all event ID's or have another script that can?
'Description : This script queries the event log for...whatever you want it to! Just set the event 'log name and event ID's!
'Initialization Section
Option Explicit
Const ForReading   = 1
Const ForWriting   = 2
Const ForAppending = 8
Dim objDictionary, objFSO, wshShell, wshNetwork
Dim scriptBaseName, scriptPath, scriptLogPath
Dim ipAddress, macAddress, item, messageType, message
On Error Resume Next
   Set objDictionary = NewDictionary
   Set objFSO        = CreateObject("Scripting.FileSystemObject")
   Set wshShell      = CreateObject("Wscript.Shell")
   Set wshNetwork    = CreateObject("Wscript.Network")
   scriptBaseName    = objFSO.GetBaseName(Wscript.ScriptFullName)
   scriptPath        = objFSO.GetFile(Wscript.ScriptFullName).ParentFolder.Path
   scriptLogPath     = scriptPath & "\" & IsoDateString(Now)
   If Err.Number <> 0 Then
      Wscript.Quit
   End If
On Error Goto 0
'Main Processing Section
On Error Resume Next
   PromptScriptStart
   ProcessScript
   If Err.Number <> 0 Then
      MsgBox BuildError("Processing Script"), vbCritical, scriptBaseName
      Wscript.Quit
   End If
   PromptScriptEnd
On Error Goto 0
'Functions Processing Section
'Name       : ProcessScript -> Primary Function that controls all other script processing.
'Parameters : None          ->
'Return     : None          ->
Function ProcessScript
   Dim hostName, logName, startDateTime, endDateTime
   Dim events, eventNumbers, i
   hostName      = wshNetwork.ComputerName
   logName       = "application"
   eventNumbers = Array("1001","1")
   startDateTime = DateAdd("n", -21600, Now)
   'Query the event log for the eventID's within the specified event log name and date range.
   If Not QueryEventLog(events, hostName, logName, eventNumbers, startDateTime) Then
      Exit Function
   End If
   'Log the scripts results to the scripts
   For i = 0 To UBound(events)
      LogMessage events(i)
   Next
End Function
'Name       : QueryEventLog -> Primary Function that controls all other script processing.
'Parameters : results       -> Input/Output : Variable assigned to an array of results from querying the event log.
'           : hostName      -> String containing the hostName of the system to query the event log on.
'           : logName       -> String containing the name of the Event Log to query on the system.
'           : eventNumbers -> Array containing the EventID's (eventCode) to search for within the event log.
'           : startDateTime -> Date\Time containing the date to finish searching at.
'           : minutes       -> Integer containing the number of minutes to subtract from the startDate to begin the search.
'Return     : QueryEventLog -> Returns True if the event log was successfully queried otherwise returns False.
Function QueryEventLog(results, hostName, logName, eventNumbers, startDateTime)
   Dim wmiDateTime, wmi, query, eventItems, eventItem
   Dim timeWritten, eventDate, eventTime, description
   Dim eventsDict, eventInfo, errorCount, i
   QueryEventLog = False
   errorCount    = 0
   If Not IsArray(eventNumbers) Then
      eventNumbers = Array(eventNumbers)
   End If
   'Construct part of the WMI Query to account for searching multiple eventID's
   query = "Select * from Win32_NTLogEvent Where Logfile = " & SQ(logName) & " And (EventCode = "
   For i = 0 To UBound(eventNumbers)
      query = query & SQ(eventNumbers(i)) & " Or EventCode = "
   Next
   On Error Resume Next
      Set eventsDict = NewDictionary
      If Err.Number <> 0 Then
         LogError "Creating Dictionary Object"
         Exit Function
      End If
      Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & hostName & "\root\cimv2")
      If Err.Number <> 0 Then
         LogError "Creating WMI Object to connect to " & DQ(hostName)
         Exit Function
      End If
      'Create the "SWbemDateTime" Object for converting WMI Date formats. Supported in Windows Server 2003 & Windows XP.
      Set wmiDateTime = CreateObject("WbemScripting.SWbemDateTime")
      If Err.Number <> 0 Then
         LogError "Creating " & DQ("WbemScripting.SWbemDateTime") & " object"
         Exit Function
      End If
      'Build the WQL query and execute it.
      wmiDateTime.SetVarDate startDateTime, True
      query          = Left(query, InStrRev(query, "'")) & ") And (TimeWritten >= " & SQ(wmiDateTime.Value) & ")"
      Set eventItems = wmi.ExecQuery(query)
      If Err.Number <> 0 Then
         LogError "Executing WMI Query " & DQ(query)
         Exit Function
      End If
      'Convert the property values of Each event found to a comma seperated string and add it to the dictionary.
      For Each eventItem In eventItems
         Do
            timeWritten = ""
            eventDate   = ""
            eventTime   = ""
            eventInfo   = ""
            timeWritten = ConvertWMIDateTime(eventItem.TimeWritten)
            eventDate   = FormatDateTime(timeWritten, vbShortDate)
            eventTime   = FormatDateTime(timeWritten, vbLongTime)
            eventInfo   = eventDate                          &
            eventInfo   = eventInfo & eventTime              & ","
            eventInfo   = eventInfo & eventItem.SourceName   & ","
            eventInfo   = eventInfo & eventItem.Type         & ","
            eventInfo   = eventInfo & eventItem.Category     & ","
            eventInfo   = eventInfo & eventItem.EventCode    & ","
            eventInfo   = eventInfo & eventItem.User         & ","
            eventInfo   = eventInfo & eventItem.ComputerName & ","
            description = eventItem.Message
            'Ensure the event description is not blank.
            If IsNull(description) Then
               description = "The event description cannot be found."
            End If
            description = Replace(description, vbCrLf, " ")
            eventInfo   = eventInfo & description
            'Check if any errors occurred enumerating the event Information
            If Err.Number <> 0 Then
               LogError "Enumerating Event Properties from the " & DQ(logName) & " event log on " & DQ(hostName)
               errorCount = errorCount + 1
               Err.Clear
               Exit Do
            End If
            'Remove all Tabs and spaces.
            eventInfo = Trim(Replace(eventInfo, vbTab, " "))
            Do While InStr(1, eventInfo, " ", vbTextCompare) <> 0
               eventInfo = Replace(eventInfo, " ", " ")
            Loop
            'Add the Event Information to the Dictionary object if it doesn't exist.
            If Not eventsDict.Exists(eventInfo) Then
               eventsDict(eventsDict.Count) = eventInfo
            End If
         Loop Until True
      Next
   On Error Goto 0
   If errorCount <> 0 Then
      Exit Function
   End If
   results       = eventsDict.Items
   QueryEventLog = True
End Function
'Name       : ConvertWMIDateTime -> Converts a WMI Date Time String into a String that can be formatted as a valid Date Time.
'Parameters : wmiDateTimeString -> String containing a WMI Date Time String.
'Return     : ConvertWMIDateTime -> Returns a valid Date Time String otherwise returns a Blank String.
Function ConvertWMIDateTime(wmiDateTimeString)
   Dim integerValues, i
   'Ensure the wmiDateTimeString contains a "+" or "-" character. If it doesn't it is not a valid WMI date time so exit.
   If InStr(1, wmiDateTimeString, "+", vbTextCompare) = 0 And _
      InStr(1, wmiDateTimeString, "-", vbTextCompare) = 0 Then
      ConvertWMIDateTime = ""
      Exit Function
   End If
   'Replace any "." or "+" or "-" characters in the wmiDateTimeString and check each character is a valid integer.
   integerValues = Replace(Replace(Replace(wmiDateTimeString, ".", ""), "+", ""), "-", "")
   For i = 1 To Len(integerValues)
      If Not IsNumeric(Mid(integerValues, i, 1)) Then
         ConvertWMIDateTime = ""
         Exit Function
      End If
   Next
   'Convert the WMI Date Time string to a String that can be formatted as a valid Date Time value.
   ConvertWMIDateTime = CDate(Mid(wmiDateTimeString, 5, 2) & "/" & _
                              Mid(wmiDateTimeString, 7, 2) & "/" & Left(wmiDateTimeString,
4) & " " & _
                              Mid(wmiDateTimeString, 9, 2) & ":" & _
                              Mid(wmiDateTimeString, 11, 2) & ":" & _
                              Mid(wmiDateTimeString, 13, 2))
End Function
'Name       : NewDictionary -> Creates a new dictionary object.
'Parameters : None          ->
'Return     : NewDictionary -> Returns a dictionary object.
Function NewDictionary
   Dim dict
   Set dict          = CreateObject("scripting.Dictionary")
   dict.CompareMode = vbTextCompare
   Set NewDictionary = dict
End Function
'Name       : SQ          -> Places single quotes around a string
'Parameters : stringValue -> String containing the value to place single quotes around
'Return     : SQ          -> Returns a single quoted string
Function SQ(ByVal stringValue)
   If VarType(stringValue) = vbString Then
      SQ = "'" & stringValue & "'"
   End If
End Function
'Name       : DQ          -> Place double quotes around a string and replace double quotes
'           :             -> within the string with pairs of double quotes.
'Parameters : stringValue -> String value to be double quoted
'Return     : DQ          -> Double quoted string.
Function DQ (ByVal stringValue)
   If stringValue <> "" Then
      DQ = """" & Replace (stringValue, """", """""") & """"
   Else
      DQ = """"""
   End If
End Function
'Name       : IsoDateTimeString -> Generate an ISO date and time string from a date/time value.
'Parameters : dateValue         -> Input date/time value.
'Return     : IsoDateTimeString -> Date and time parts of the input value in "yyyy-mm-dd hh:mm:ss" format.
Function IsoDateTimeString(dateValue)
   IsoDateTimeString = IsoDateString (dateValue) & " " & IsoTimeString (dateValue)
End Function
'Name       : IsoDateString -> Generate an ISO date string from a date/time value.
'Parameters : dateValue     -> Input date/time value.
'Return     : IsoDateString -> Date part of the input value in "yyyy-mm-dd" format.
Function IsoDateString(dateValue)
   If IsDate(dateValue) Then
      IsoDateString = Right ("000" & Year (dateValue), 4) & "-" & _
                      Right ( "0" & Month (dateValue), 2) & "-" & _
                      Right ( "0" &   Day (dateValue), 2)
   Else
      IsoDateString = "0000-00-00"
   End If
End Function
'Name       : IsoTimeString -> Generate an ISO time string from a date/time value.
'Parameters : dateValue     -> Input date/time value.
'Return     : IsoTimeString -> Time part of the input value in "hh:mm:ss" format.
Function IsoTimeString(dateValue)
   If IsDate(dateValue) Then
      IsoTimeString = Right ("0" &   Hour (dateValue), 2) & ":" & _
                      Right ("0" & Minute (dateValue), 2) & ":" & _
                      Right ("0" & Second (dateValue), 2)
   Else
      IsoTimeString = "00:00:00"
   End If
End Function
'Name       : LogMessage -> Writes a message to a log file.
'Parameters : logPath    -> String containing the full folder path and file name of the Log file without with file extension.
'           : message    -> String containing the message to include in the log message.
'Return     : None       ->
Function LogMessage(message)
   If Not LogToCentralFile(scriptLogPath & ".csv", IsoDateTimeString(Now) & "," & message) Then
      Exit Function
   End If
End Function
'Name       : LogError -> Writes an error message to a log file.
'Parameters : logPath -> String containing the full folder path and file name of the Log file without with file extension.
'           : message -> String containing a description of the event that caused the error to occur.
'Return     : None       ->
Function LogError(message)
   If Not LogToCentralFile(scriptLogPath & ".err", IsoDateTimeString(Now) & "," & BuildError(message)) Then
      Exit Function
   End If
End Function
'Name      : BuildError -> Builds a string of information relating to the error object.
'Parameters: message    -> String containnig the message that relates to the process that caused the error.
'Return    : BuildError -> Returns a string relating to error object.
Function BuildError(message)
   BuildError = "Error " & Err.Number & " (Hex " & Hex(Err.Number) & ") " & message & ". " & Err.Description
End Function
'Name       : LogToCentralFile -> Attempts to Appends information to a central file.
'Parameters : logSpec          -> Folder path, file name and extension of the central log file to append to.
'           : message          -> String to include in the central log file
'Return     : LogToCentralFile -> Returns True if Successfull otherwise False.
Function LogToCentralFile(logSpec, message)
   Dim attempts, objLogFile
   LogToCentralFile = False
   'Attempt to append to the central log file up to 10 times, as it may be locked by some other system.
   attempts = 0
   Do
      On Error Resume Next
         Set objLogFile = objFSO.OpenTextFile(logSpec, ForAppending, True)
         If Err.Number = 0 Then
            objLogFile.WriteLine message
            objLogFile.Close
            LogToCentralFile = True
            Exit Function
         End If
      On Error Goto 0
      Randomize
      Wscript.sleep 1000 + Rnd * 100
      attempts = attempts + 1
   Loop Until attempts >= 10
End Function
'Name       : PromptScriptStart -> Prompt when script starts.
'Parameters : None
'Return     : None
Function PromptScriptStart
   MsgBox "Now processing the " & DQ(Wscript.ScriptName) & " script.", vbInformation, scriptBaseName
End Function
'Name       : PromptScriptEnd -> Prompt when script has completed.
'Parameters : None
'Return     : None
Function PromptScriptEnd
   MsgBox "The " & DQ(Wscript.ScriptName) & " script has completed successfully.", vbInformation, scriptBaseName
End Function
Thanks

Here is a script that will copy the previous days events and save them to "C:\". The file name be yesterdays date ex "04-18-2010-Events.csv"
Const strComputer = "."
Dim objFSO, objWMIService, colEvents, objEvent, outFile
Dim dtmStartDate, dtmEndDate, DateToCheck, fileDate
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
'change the date form "/" to "-" so it can be used in the file name
fileDate = Replace(Date - 1,"/","-")
Set outFile = objFSO.CreateTextFile("C:\" & fileDate & "-Events.csv",True)
DateToCheck = Date - 1
dtmEndDate.SetVarDate Date, True
dtmStartDate.SetVarDate DateToCheck, True
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
For each objEvent in colEvents
outFile.WriteLine String(100,"-")
outFile.WriteLine "Category = " & objEvent.Category
outFile.WriteLine "ComputerName = " & objEvent.ComputerName
outFile.WriteLine "EventCode = " & objEvent.EventCode
outFile.WriteLine "Message = " & objEvent.Message
outFile.WriteLine "RecordNumber = " & objEvent.RecordNumber
outFile.WriteLine "SourceName = " & objEvent.SourceName
outFile.WriteLine "TimeWritten = " & objEvent.TimeWritten
outFile.WriteLine "Type = " & objEvent.Type
outFile.WriteLine "User = " & objEvent.User
outFile.WriteLine String(100,"-")
Next
outFile.Close
MsgBox "Finished!"
v/r LikeToCode....Mark the best replies as answers.

The event logging service encountered an error (res=5) ...

Hi,
I have promoted a new server to be a third DC.
All seems ok, replication, dns, etc are working properly but after the boot in the system event log I see those errors:
Log Name: System
Source: Microsoft-Windows-Eventlog
Date: 25.5.2012 14:32:15
Event ID: 23
Task Category: Service startup
Level: Error
Keywords: Service availability
User: LOCAL SERVICE
Computer: dc3.x.x
Description:
The event logging service encountered an error (res=5) while initializing logging resources for channel Microsoft-Windows-API-Tracing/Operational.
and then for about 40 Microsoft channels:
The event logging service encountered an error (res=5) while initializing logging resources for channel Microsoft-Windows-AppID/Operational.
The event logging service encountered an error (res=5) while initializing logging resources for channel Microsoft-Windows-AppLocker/EXE and DLL.
The event logging service encountered an error (res=5) while initializing logging resources for channel Microsoft-Windows-AppLocker/MSI and Script.
The event logging service encountered an error (res=5) while initializing logging resources for channel Microsoft-Windows-Audio/CaptureMonitor.
The event logging service encountered an error (res=5) while initializing logging resources for channel Microsoft-Windows-Security-Configuration-Wizard/Operational.
etc...
There is no error event before those event id 23
Any idea?
Thank you

Have you checked the path of the System event log? Something similar happened to me once, turned out the log file was corrupted. I updated the path and created a new evt which solved the issue for me.
Hopefully this helps:
http://technet.microsoft.com/en-us/library/dd315662(v=ws.10).aspx

VB Scripting to monitor application event log based on specific words.

Hi All,
I Have written, vb script to monitor application event log based on specific word in the message. when I have included same script in monitor, after running this script at specific time once in day, I am getting run time error in the server, where it
supposed to run, could you please check the command where I have highlighted in below script.
Dim VarSize
Dim objMOMAPI
Dim objBag
Set objMOMAPI = CreateObject("MOM.ScriptAPI")
Set objBag = objMOMAPI.CreateTypedPropertyBag(StateDataType)
Set objFSO = CreateObject("Scripting.FileSystemObject")
Const CONVERT_TO_LOCAL_TIME = True
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
dtmStartDate.SetVarDate dateadd("n", -1440, now)' CONVERT_TO_LOCAL_TIME
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Application' AND " _
& "EventCode = '100'")
For Each objEvent in colLoggedEvents
If InStr(LCase(colLoggedEvents.Message), "Message :Application A3 has been successfully processed for today") Then
X= "Success"
end if
Next
if X="Success" then
call objBag.AddValue("State","GOOD")
call objMOMAPI.Return(objBag)
wscript.quit()
Else
call objBag.AddValue("State","BAD")
call objMOMAPI.Return(objBag)
wscript.quit()
End If

By programming standards since as long as I can remember the use of the value of a variable to detect its Boolean state has been used.
Cast your mind back to strongly typed languages, e.g. Pascal.
I'll cast back to the very early days of the "C" language where all variables could be treated as "bool" without a cast. The is no more strongly type language than "C". "C" practically invented the standards for all modern languages.
When I was writin machine language we also used zero as false but many machines only tested the high bit for truthieness. The HP machines and Intel allowed a test to aggregate to the sign bit. Adding that flag to the test alloed tru for
an numeric value that was non-zero. A boool test was also used for a negative e switch. If you study micro language implementation you will find that this hardware design and the companion compiler design is ... well... by design. It is a
way of improving the completeness and usefulness of an instruction set.
Other langauges may require further decoration due to some mistaken desire to be better than perfect. That is like trying to change number theory by renaming addition to be "gunking" and forcing everyone to use multiplication when adding the same number
more than once. A Boolean test os a test of the flag bit with to without aggregation. Even if we test a bit in a word we still mask and aggregate. It is always the most primitive operation. It is also the most useful
operation when you finally realize that it is like an identity in math.
Use the language features that are designed in. They can help to make code much more flexible and logical.
By the way, Pascal also treats everything as Boolean when asked to.
¯\_(ツ)_/¯

Login / out history extraction from 2008R2 Event Logs with a PowerShell script?

Hi folks,
I think I'm asking something similar to a few other posts, but instead of hijacking their threads, I thought I'd start my own.
As the subject suggests, I'm trying to extract from a 2008R2 server's Event logs a table of users and their respective login / out events. Not just asking AD for their last login times, but a list of login / out events.
So far, I'm using:
Get-EventLog -logname security -Newest 1000 | where {$_.eventID -eq 4624 -or 4634 }
but the list is long, and contains host authentication connections as well as users. I believe I need something like the ability to filter on "user is domain user", or "user is not a computer", or similar, and then pipe it to Export-CSV,
but the data is not a CSV file, but more like Text. ie:
Index : 87290035
EntryType : SuccessAudit
InstanceId : 5156
Message : The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1688
Application Name: \device\harddiskvolume2\windows\system32\dns.exe
Network Information:
Direction: %%14592
Source Address: 192.168.xx.xx
Source Port: 53
Destination Address: 192.168.xx.xx
Destination Port: 44242
Protocol: 17
Filter Information:
Filter Run-Time ID: 66055
Layer Name: %%14610
Layer Run-Time ID: 44
Category : (12810)
CategoryNumber : 12810
ReplacementStrings : {1688, \device\harddiskvolume2\windows\system32\dns.exe, %%14592, 192.168.xx.xx...}
Source : Microsoft-Windows-Security-Auditing
TimeGenerated : 28/01/2011 4:46:35 PM
TimeWritten : 28/01/2011 4:46:35 PM
UserName :
Why is that even coming up as a result?
Ideally, I would like a CSV file containing these columns:
User,timestamp,computer,logon/off
I've thought about adding a script to the Group Policy where it runs on local machines and appends details to a file on a network share, but I think I would prefer to run this locally, perhaps periodically as a script.
-- Ebor Administrator

Thanks Matthew for the links. While I was initially thinking that's looking rather complicated, and my solution was simplistic in comparison, I'm finding (with no surprises, really) that things can get rather complicated quickly. If only parsing was easier
(or if only they didn't use "Here-Strings" instead, using normal Strings... </grumble>), as it's now looking at almost ten lines (mostly for readability).
In short, I'm now looking at:
Get-ADUser -Filter * -SearchBase "OU=Users,OU=Ebor Computing,DC=Ebor,DC=Local" | Sort-Object | ForEach-Object -Process {
$UserName = $_.SamAccountName
$MsgQuery="*" + $UserName + "*"
$EventID = $_.EventID
$Events = Get-EventLog -logname security -Message $MsgQuery | where {$_.EventID -eq 4624 -or $_.EventID -eq 4634} | ForEach-Object -Process {
$SrcAddr = "Unknown"
$idx = $_.message.IndexOf("Source Network Address:")
if ($idx -gt 0) {$SrcAddr = $_.message.substring($idx+23,15).trim()}
$UserName+","+$SrcAddr+","+$EventID+","+$_.TimeGenerated | Out-File -FilePath $UserName"_login_events.csv" -Append
Eeuuw... don't know why that was parsed as it was above... Either way, this takes a very long time, but gives a separate file for each user and goes back the entire length of the Event Log's history for reporting purposes.
Noting that I had to query AD for the users thus has to run from the AD Powershell, instead of the normal PS, as I don't know the appropriate module load command to get a normal PS to work with AD. Keeping this limitation in mind, I think it works, but needs
some tweaking for formatting and output I think.
I'm tempted to create an RODC for this to run on, but what else does the DC do, really? May as well warm up the CPU for an hour or so ;-) I guess one of the improvements could be to determine if the cycles are being taken up with poor String parsing, or
with AD querying. Another would be to add some comments... ;-)
-- Ebor Administrator

How to display system security events logs in Cisco router 4980

Hi,
in order to perform acceptance tests following the installation of a Cisco 4980 router cluster, I need to verify that any system security events are logged and I can diplay them on the CLI output (for example with the #show logging command).
By system security events logs, I mean for example bad authentification on the switch, creation/deletion/modification of a user accoount, telnet connexion attempt while this protocol is not allowed, etc...
With the #show logging command, I have security events related to access-list, or configuration changes (even if these ones are not really verbose on waht have been changed), but no "system" security events.
Here is my logging initial logging configuration on these routers:
logging rate-limit 1 except errors
logging console critical
logging monitor critical
But I also tried like this:
logging rate-limit 1 except errors
logging console informational
logging monitor critical
logging history informational
logging facility auth
But exactly the same result...
Is this feature exist or not ?
If yes, how to configure it ?
Thanks.
Julien

Here is a script that will copy the previous days events and save them to "C:\". The file name be yesterdays date ex "04-18-2010-Events.csv"
Const strComputer = "."
Dim objFSO, objWMIService, colEvents, objEvent, outFile
Dim dtmStartDate, dtmEndDate, DateToCheck, fileDate
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
'change the date form "/" to "-" so it can be used in the file name
fileDate = Replace(Date - 1,"/","-")
Set outFile = objFSO.CreateTextFile("C:\" & fileDate & "-Events.csv",True)
DateToCheck = Date - 1
dtmEndDate.SetVarDate Date, True
dtmStartDate.SetVarDate DateToCheck, True
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
For each objEvent in colEvents
outFile.WriteLine String(100,"-")
outFile.WriteLine "Category = " & objEvent.Category
outFile.WriteLine "ComputerName = " & objEvent.ComputerName
outFile.WriteLine "EventCode = " & objEvent.EventCode
outFile.WriteLine "Message = " & objEvent.Message
outFile.WriteLine "RecordNumber = " & objEvent.RecordNumber
outFile.WriteLine "SourceName = " & objEvent.SourceName
outFile.WriteLine "TimeWritten = " & objEvent.TimeWritten
outFile.WriteLine "Type = " & objEvent.Type
outFile.WriteLine "User = " & objEvent.User
outFile.WriteLine String(100,"-")
Next
outFile.Close
MsgBox "Finished!"
v/r LikeToCode....Mark the best replies as answers.

Exception write to event log when user not found in active directory

I'm trying to use a exception to write to a event log to show which user did not get imported from my csv file. Any help to write this exception is appreciated. Thanks
Import-CSV $importfile | ForEach-Object{
$samaccountname = $_.sAMAccountName.ToLower() #samaccountname on csv file
Try {
$exists = Get-ADUser -LDAPFilter "(sAMAccountName=$samaccountname)" #Filter user by samaccountname
Catch
write-host "Users did not exist." #user does not exisit

To your question:
"How can I create a new event log every time without saving to the original event log textfile?"
The answer provided by Mike Laughlin doesn't require you save anything to a text file - so either I'm misunderstanding this follow-up, or you are misunderstanding Mike's post. :)
To answer your other follow up... try:
$goodCount = 0
$badCount = 0
Import-Csv $importFile | ForEach {
$SamAccountName = $_.SamAccountName
try {
$user = Get-ADUser -Identity $SamAccountName -ErrorAction Stop
$goodCount++
} catch {
Write-EventLog # <-finish this command however you want
$badCount++
write-host "Users imported: $goodCount"
write-host "Users not imported: $badCount"
G. Samuel Hays, MCT, MCSE 2012, MCITP: Enterprise Admin
Blog:gsamuelhays.blogspot.com
twitter:twitter.com/gsamuelhays

Seemingly successful install of Exchange 2013 SP1 turns into many errors in event logs after upgrade to CU7

I have a new Exchange 2013 server with plans to migrate from my current Exchange 2007 Server.
I installed Exchange 2013 SP1 and the only errors I saw in the event log seemed to be long standing known issues that did not indicate an actual problem (based on what I read online).
I updated to CU7 and now lots of errors have appeared (although the old ones seem to have been fixed so I have that going for me).
Currently the Exchange 2013 server is not in use and clients are still hitting the 2007 server.
Issue 1)
After each reboot I get a Kernel-EventTracing 2 error. I cannot find anything on this on the internet so I have no idea what it is.
Session "FastDocTracingSession" failed to start with the following error: 0xC0000035
I did read other accounts of this error with a different name in the quotes but still can’t tell what this is or where it is coming from.
Issue 2)
I am still getting 5 MSExchange Common 106 errors even after reregistering all of the perf counters per this page:
https://support.microsoft.com/kb/2870416?wa=wsignin1.0
One of the perf counters fails to register using the script from the link above.
66 C:\Program Files\Microsoft\Exchange Server\V15\Setup\Perf\InfoWorkerMultiMailboxSearchPerformanceCounters.xml
New-PerfCounters : The performance counter definition file is invalid.
At C:\Users\administrator.<my domain>\Downloads\script\ReloadPerfCounters.ps1:19 char:4
+    New-PerfCounters -DefinitionFileName $f
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo
: InvalidData: (:) [New-PerfCounters], TaskException
    + FullyQualifiedErrorId : [Server=VALIS,RequestId=71b6bcde-d73e-4c14-9a32-03f06e3b2607,TimeStamp=12/18/2014 10:09:
   12 PM] [FailureCategory=Cmdlet-TaskException] 33EBD286,Microsoft.Exchange.Management.Tasks.NewPerfCounters
But that one seems unrelated to the ones that still throw errors.
Three of the remaining five errors are (the forum is removing my spacing between the error text so it looks like a wall of text - sorry):
Performance counter updating error. Counter name is Count Matched LowFidelity FingerPrint, but missed HighFidelity FingerPrint, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The
exception thrown is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
   at System.Diagnostics.PerformanceCounter.InitializeImpl()
   at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
   at System.Diagnostics.Process.GetProcessById(Int32 processId)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Performance counter updating error. Counter name is Number of items, item is matched with finger printing cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown
is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
   at System.Diagnostics.PerformanceCounter.InitializeImpl()
   at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
   at System.Diagnostics.Process.GetProcessById(Int32 processId)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Performance counter updating error. Counter name is Number of items in Malware Fingerprint cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown is : System.InvalidOperationException:
The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
   at System.Diagnostics.PerformanceCounter.InitializeImpl()
   at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
   at System.Diagnostics.Process.GetProcessById(Int32 processId)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Issue 3)
I appear to have some issues related to the healthmailboxes.
I get MSExchangeTransport 1025 errors for multiple healthmailboxes.
SMTP rejected a (P1) mail from 'HealthMailbox23b10b91745648819139ee691dc97eb6@<my domain>.local' with 'Client Proxy <my server>' connector and the user authenticated as 'HealthMailbox23b10b91745648819139ee691dc97eb6'. The Active Directory
lookup for the sender address returned validation errors. Microsoft.Exchange.Data.ProviderError
I reran setup /prepareAD to try and remedy this but I am still getting some.
Issue 4)
I am getting an MSExchange RBAC 74 error.
(Process w3wp.exe, PID 984) Connection leak detected for key <my domain>.local/Admins/Administrator in Microsoft.Exchange.Configuration.Authorization.WSManBudgetManager class. Leaked Value 1.
Issue 5)
I am getting MSExchange Assistants 9042 warnings on both databases.
Service MSExchangeMailboxAssistants. Probe Time Based Assistant for database Database02 (c83dbd91-7cc4-4412-912e-1b87ca6eb0ab) is exiting a work cycle. No mailboxes were successfully processed. 2 mailboxes were skipped due to errors. 0 mailboxes were
skipped due to failure to open a store session. 0 mailboxes were retried. There are 0 mailboxes in this database remaining to be processed.
Some research suggested this may be related to deleted mailboxes however I have never had any actual user mailboxes on this server.
If they are healthmailboxes or arbitration mailboxes that might make sense but I am unsure of what to do on this.
Issue 6)
At boot I am getting an MSExchange ActiveSync warning 1033
The setting SupportedIPMTypes in the Web.Config file was missing.
Using default value of System.Collections.Generic.List`1[System.String].
I don't know why but this forum is removing some of my spacing that would make parts of this easier to read.

Hi Eric
Yes I have uninstalled and reinstalled Exchange 2013 CU7 for the 3<sup>rd</sup> time.
I realize you said one issue per forum thread but since I already started this thread with many issues I will at least post what I have discovered on them in case someone finds their way here from a web search.
I have an existing Exchange 2007 server in the environment so I am unable to create email address policies that are defined by “recipient container”.
If I try and do so I get “You can't specify the recipient container because legacy servers are detected.”
So I cannot create a normal email address policy and restrict it to an OU without resorting to some fancy filtering.
Instead what I have done is use PS to modify extensionAttribute1 (otherwise known as Custom Attribute 1 to exchange) for all of my users.
I then applied an address policy to them and gave it the highest priority.
Then I set a default email address policy for the entire organization.
After reinstalling Exchange all of my system mailboxes were created with the internal domain name.
So issue number 3 above has not come up.
For issue number one above I have created a new thread:
https://social.technet.microsoft.com/Forums/office/en-US/7eb12b89-ae9b-46b2-bd34-e50cd52a4c15/microsoftwindowskerneleventtracing-error-2-happens-twice-at-boot-ex2013cu7?forum=exchangesvrdeploy
For issue number four I have posted to this existing thread where there is so far no resolution:
https://social.technet.microsoft.com/Forums/exchange/en-US/2343730c-7303-4067-ae1a-b106cffc3583/exchange-error-id-74-connection-leak-detected-for-key?forum=exchangesvradmin
Issue number Five I have managed to recreate and get rid of in more than one way.
If I create a new database in ECP and set the database and log paths where I want, then this error will appear.
If I create the database in the default location and then use EMS to move it and set the log path, then the error will not appear.
The error will also appear (along with other errors) if I delete the health mailboxes and let them get recreated by restarting the server or the Health Manager service.
If I then go and set the retention period for deleted mailboxes to 0 days and wait a little while, these will all go away.
So my off hand guess is that these are caused by orphaned system mailboxes.
For issue number six I have posted to this existing thread where there is so far no resolution:
https://social.technet.microsoft.com/Forums/exchange/en-US/dff62411-fad8-4d0c-9bdb-037374644845/event-1033-msexchangeactivesync-warning?forum=exchangesvrmobility
So for the remainder of this thread we can try and tackle issue number two which is the perf counters.
The exact same 5 perf counter were coming up and this had been true each time I have uninstalled and reinstalled Exchange 2013CU7.
Actually to be more accurate a LOT of perf counter errors come up after the initial install, but reloading the perf counters using the script I posted above reduces it to the same five.
Using all of your suggestions so far has not removed these 5 remaining errors either. Since there is no discernible impact other than these errors at boot I am not seriously bothered by them but as will all event log errors, I would prefer
to make them go away if possible.

To create event log server

Hi,
I want to create a event log server at my data center, I mean, I want to collect the event logs from all my servers and manage the logs centrally, please guide me the steps for this.
Swaprakash..

Hi,
I want to create a event log server at my data center, I mean, I want to collect the event logs from all my servers and manage the logs centrally, please guide me the steps for this.
Swaprakash..
If your Enterprise uses SCOM for monitoring, you can easily
configure and deploy Audit Collection Reporting (ACS) to pull events from servers based on specific criteria.
You can also manually configure event forwarding/subscriptions. Here's a
link on how.
Only when the above two options are impossible will I start to look at a scripting solution, using
Get-Eventlog or
Get-WinEvent cmdlets.

Trouble with a script that deletes event in iCal

Used this script over the summer and it worked fine. Can't figure out the issue now, but it isn't working. Here is a few lines of the output I get and then the error I get is at the bottom. I'll post the full script at the bottom of this posting. Error # -1728??? File doesn;t exist?
Thanks,
dan
get summary of item 2 of every event of calendar "Untitled"
--> "Enviro C Lab Period 3-4"
get summary of item 2 of every event of calendar "Untitled"
--> "Enviro C Lab Period 3-4"
get description of item 2 of every event of calendar "Untitled"
--> missing value
get status of item 2 of every event of calendar "Untitled"
--> none
get start date of item 2 of every event of calendar "Untitled"
--> date "Tuesday, April 26, 2011 10:30:00 AM"
get summary of item 2 of every event of calendar "Untitled"
--> "Enviro C Lab Period 3-4"
get end date of item 2 of every event of calendar "Untitled"
--> date "Tuesday, April 26, 2011 11:55:00 AM"
get allday event of item 2 of every event of calendar "Untitled"
--> false
make new event at end of every event of calendar "Untitled" with properties {status:none, start date:date "Tuesday, April 26, 2011 10:30:00 AM", summary:"Enviro C Lab Period 3-4", end date:date "Tuesday, April 26, 2011 12:25:00 PM", allday event:false}
--> event id "AF27EFB6-3949-4977-A153-1EFE31FD8206" of calendar id "0EDA6DFD-52AD-4E7F-BC81-984CFF7D3F39"
delete item 2 of every event of calendar "Untitled"
--> error number -1728 from item 2 of every event of calendar "Untitled"
Result:
error "iCal got an error: Can’t get item 2 of every event of calendar \"Untitled\"." number -1728 from item 2 of every event of calendar "Untitled"
<pre style="
font-family: Monaco, 'Courier New', Courier, monospace;
font-size: 10px;
margin: 0px;
padding: 5px;
border: 1px solid #000000;
width: 720px; height: 340px;
color: #000000;
background-color: #FFDDFF;
overflow: auto;"
title="this text can be pasted into a HTML editor">
tell application "iCal"
repeat with theEvent in (events of calendar "Untitled")
set control to {}
set control to summary of theEvent
set AppleScript's text item delimiters to space
set theSummary to summary of theEvent
set textSummary to text items of theSummary
if the third item of textSummary is "Lab" then
if the fifth item of textSummary is "5-6" then
get theEvent
set theDescription to description of theEvent
set theStatus to status of theEvent
set theStartDate to (start date of theEvent) - 0.5 * hours
set theSummary to summary of theEvent
set theEndDate to end date of theEvent
set theAllDay to allday event of theEvent
set newEvent to (make new event at end of events of calendar "Untitled" with properties {status:theStatus, start date:theStartDate, summary:theSummary, end date:theEndDate, allday event:theAllDay})
set oldEvent to ""
set theEvent to oldEvent
get theEvent
delete theEvent
end if
if the fifth item of textSummary is "3-4" then
get theEvent
set theDescription to description of theEvent
set theStatus to status of theEvent
set theStartDate to start date of theEvent
set theSummary to summary of theEvent
set theEndDate to (end date of theEvent) + 0.5 * hours
set theAllDay to allday event of theEvent
set newEvent to (make new event at end of events of calendar "Untitled" with properties {status:theStatus, start date:theStartDate, summary:theSummary, end date:theEndDate, allday event:theAllDay})
delete theEvent
end if
end if
end repeat
end tell
</pre>

Hello
The posted event log indicates some inconsistent behaviour of iCal in referencing item 2 of every event. I.e., it could access it first and failed to do so after a new event is created. Scent of bug here. Or possibly inserting ugly small delay after event creation might let the script delete the newly created event...
Anyway, the 'by index' reference form of object must be used very carefully when object can be deleted or added dynamically.
Also I wish to add that it is not recommended to use an object specifier, that returns list of objects, as the base list for repeat statement, such as :
--CODE1
-- # not recommended
repeat with theEvent of (events of calendar "Untitled")
-- omitted
end repeat
--END OF CODE1
Instead, you'd better get the list first and use it, such as :
--CODE2
-- # recommended
repeat with theEvent of (get events of calendar "Untitled")
-- omitted
end repeat
--END OF CODE2
The reason is as follows.
In CODE1, the iterator is assigned as item k of events of calendar "Untitled", where k iterates from 1 to count of events of calendar "Untitled" at the time of loop entrance. The problem is that this list of events is dynamic list which may change when event is deleted or added, and consequently item k as iterator may no longer refer to the item k of the original collection of events.
In CODE2, the iterator is assigned as item k of a static list which is obtained by statement 'get events of calendar "Untitled" at the time of loop entrance. If the event object is returned in 'by ID' reference form (or any form other than that depends upon index in the container), item k as iterator is guaranteed to refer to the item k of the original collection of events whether or not collection changes.
Thus you may try something like this :
--SCRIPT
(* not tested *)
tell application "iCal"
tell calendar "Untitled"
repeat with theEvent in (get its events) -- # get the objects list
set theEvent to theEvent's contents -- # dereference each once
set AppleScript's text item delimiters to {space}
set textSummary to text items of summary of theEvent
set AppleScript's text item delimiters to {""} -- # reset astid
if item 3 of textSummary is "Lab" then
if item 5 of textSummary is "5-6" then
tell theEvent
set prop to {¬
start date:(its start date) - 0.5 * hours, ¬
end date:its end date, ¬
status:its status, ¬
summary:its summary, ¬
allday event:its allday event}
end tell
make new event at end of events with properties prop
delete theEvent
end if
if item 5 of textSummary is "3-4" then
tell theEvent
set prop to {¬
start date:its start date, ¬
end date:(its end date) + 0.5 * hours, ¬
status:its status, ¬
summary:its summary, ¬
allday event:its allday event}
end tell
make new event at end of events with properties prop
delete theEvent
end if
end if
end repeat
end tell
end tell
--END OF SCRIPT
Hope this may help,
H

Event Log stopped working - Error 1747 : The Authentication Service is Unknown

I reccently noticed that my scheduled tasks were no longer running. I tried to bring up the task scheduler and it said the service was not running. I checked the service and sure enough, it was not running. I tried to start it and it failed because the windows event log service, which is a dependency, was also not running. I tried to start the event log service, and gave the error above in the subject line.
The event log service uses a log on of "Local Service". There are other services that use the same log on and they start up with no problem. I have searched the internet for a solution to this and have tried several things I found with no luck. One was to run SFC, another was to delete the Windows/Logs and Windows/System32/Logfiles folders so they would be re-created on startup. I also tried subinacl to reset the ACLs on registry branches and the subfolders of %SystemDrive% as recommeded in another forum.
I am running Vista Home Premium and all the latest updates have neen applied. Anyone have any further ideas? (short of re-installing Vista).
Thanks.

Hi there Robin. I am an IT Technician & felt that I needed to begin communication with you regarding this issue. I recently made a post in this thread detailing my issues & found resolution. I just wanted to share my post with you & hope that the information is useful to others that need to resolve these issues without re-installing their operating systems. Please find my post below:
Hi all. I am an IT technician & have recently been troubleshooting a customer's Windows Vista Home Premium laptop in a wireless home network.
In a nutshell the laptop suddenly stopped connecting to the wireless router; upon investigation I found lots of windows services were not starting; this sent me on a bit of a wild goose chase as this showed all signs of some kind of trojan / malware infection hogging the system. Here are some of the things I saw:
1). Norton 360 wasn't even running correctly & I was unable to view it's firewall status.
2). Windows firewall was disabled & I was unable to start it (service failed error message).
3). I was unable to view windows event logs & received "Error 1747 : The Authentication Service is Unknown"
4). Windows Side Bar was all blanked out & not showing any gadgets
5). I attempted a system restore but that failed (I saw references in system restore that the Bonjour service had been un-installed)
I did loads of further investigation & found this thread. It would appear that removing, or even trying to remove / un-install the Bonjour service may cause the above mentioned issues in windows Vista. I have not seen this kind of errata in windows XP.
I have heard of people pulling their hair out & re-installing the operating system possibly due to experiencing these issues.
Please Read On....
Resolution that worked for me:
I ran the Winsock corruption fix that is mentioned in previous threads as per microsoft's instructions found at the following URL: http://support.microsoft.com/kb/811259
Manual steps to recover from Winsock2 corruption for Windows Vista users
Winsock corruption can cause connectivity problems. To resolve this issue by using Network Diagnostics in Windows Vista, follow these steps:
1.
Click , and then click Network.
2.
Click Network and Sharing Center.
3.
In the Network and Sharing Center box, click Diagnose and Repair.
Note You may also access the Network and Sharing Center in Control Panel.
If the Network and Diagnostic tool was unable to find a problem, you can manually repair or reset Winsock.
Manual steps to repair or to reset Winsock for Windows Vista users
1.
Click , type cmd in the Start Search box, right-click cmd.exe, click Run as administrator, and then press Continue.
2.
Type netsh winsock reset at the command prompt, and then press ENTER.
Note If the command is typed incorrectly, you will receive an error message. Type the command again. When the command is completed successfully, a confirmation appears, followed by a new command prompt. Then, go to step 3.
3.
Type exit, and then press ENTER
Hey Presto!!!! After re-booting everything is back online & all necessary windows services & norton 360 are starting as normal.
Further Information on Bonjour Service:
http://en.wikipedia.org/wiki/Bonjour_(software)
As I understand & in my experience the Bonjour service is installed as a sub-aplet with certain 3rd party software applications including Apples itunes & Adobe newest Creative Suite 3 installs Apple’s Bonjour service even if you don’t install Version Cue. Its main goal is to provide zero-configuration connectivity between Version Cue server and the suite’s applications.
A bit more CSi & i've established how to un-install Bonjour service; there is a great topic on this subject at the following URL: http://www.raymond.cc/blog/archives/2008/02/10/how-to-uninstall-or-remove-bonjour-mdnsresponderexe/
Thanks to all for your post & input...it has really helped to get this issue resolved (well for me anyway) & has of course save a re-install!!!!
I will keep an eye on this thread...please post your resolutions / experiences to help others.
Kind regards

Export all Errors and warnings event logs from Application, security and system for last 24 hours and send it to IT administrators.

Dear Team,
I want a powershell script to export servers event logs into excel and it send that file to IT administrators.
Excel format:
Server Name, Log Name, Time, Source, Event ID and Message.
Require logs:
Application, Security, System, DFS Replication and Directory service.
And these excel file has to be send to Email address.
And it would be good, if i get a script same for Hard disk space and RAM and CPU utilization.

Here are some examples:
http://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=logs&f%5B0%5D.Text=Logs%20and%20monitoring&f%5B1%5D.Type=SubCategory&f%5B1%5D.Value=eventlogs&f%5B1%5D.Text=Event%20Logs
¯\_(ツ)_/¯

Variable text is blank in emails when using Scheduled Task to email event log notifications

I am trying to use powershell to email notification when a user account gets locked. I am running the script from a server 2008 domain controller.
I have tried multiple scripts and I have the same issue every time. The script works fine when I run it directly from the powershell command line window.
However whenever I try running the exact same scripts from an event-triggered scheduled task, the script runs, however any content that generated from a variable is not added to the email. It is just left blank and ignored.
I have tried adding lots of permissions including domain administrator group membership to the account runs the task from and it doesn't include all the expected text unless I run it from the built-in domain administrator account.
The task runs and the email is sent, but the email is missing all the content generated by variables.
How can this be fixed?
Here is an example script.
$AccountLockOutEvent = Get-EventLog -LogName "Security" -InstanceID 4740 -Newest 1
$LockedAccount = $($AccountLockOutEvent.ReplacementStrings[0])
$AccountLockOutEventTime = $AccountLockOutEvent.TimeGenerated
$AccountLockOutEventMessage = $AccountLockOutEvent.Message
$messageParameters = @{
Subject = "Account Locked Out: $LockedAccount"
Body = "Account $LockedAccount was locked out on $AccountLockOutEventTime.`n`nEvent Details:`n`n$AccountLockOutEventMessage"
From = "[email protected]"
To = "[email protected]"
SmtpServer = "exch2010.domain.local"
Send-MailMessage @messageParameters
=================================================
Here is an example of task settings.
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2015-03-25T21:40:28.8095226</Date>
<Author>DOMAIN\administrator</Author>
</RegistrationInfo>
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription><QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4740]]</Select></Query></QueryList></Subscription>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>DOMAIN\WilliamsD</UserId>
<LogonType>Password</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>powershell.exe</Command>
<Arguments>-nologo -File "C:\powershell\l2.ps1"</Arguments>
</Exec>
</Actions>
</Task>

By variable text I mean everything that it generates by using a variable such as the user's name ($LockedAccount)
and everything else such as $AccountLockOutEventTime and everything else that is generated from
a variable.
Nothing like that appears in the email only hard coded text.
I am not running it remotely. I am logged directly onto the domain controller and I tried giving
the account that is used to run the task more and more permissions including domain administrator group membership with the same result.
When I run the exact same script on the same domain controller locally via the powershell CLI all of the info appears.
This is the info when the email is generated by running the script directly from the powershell CLI:
================================================
================================================
Account BondJ was locked out on 03/26/2015 20:42:18.
Event Details:
A user account was locked out.
Subject:
                Security ID:                         S-1-5-18
                Account Name:                 DC1$
                Account Domain:
DOMAIN
                Logon ID:
0x3e7
Account That Was Locked Out:
                Security ID:                         S-1-5-21-3440879815-2193117124-1719501250-1154
                Account Name:                 BondJ
Additional Information:
                Caller Computer Name:                DC1
===================================================
====================================================
Below is the contents of the email when the same script runs via scheduled task trigger using any account I try other than the built-in domain Administrator account.
=======================================================
======================================================
Account was locked out on .
Event Details:
===================================================
Just mostly blank email body with the info above. All the important information text is missing from the email.

SQL Server monitoring error event log 4001

hello Experts ,
We have SCOM 2012 R2 environment ,I have installed SQL SERVER MPs 6.5.0.1 and installed SCOM agent on some of SQL Server. Some of the SQL Server are monitoring working properly not all SQL Server but getting error for some of SQL Server in event log
Event :4001
Management Group: SCOMMgtGroup. Script: Main Module: CPUUsagePercentDataSource.ps1 :
Computer Name = 'MHSSCOM01.memnet.org' WMI = 'ComputerManagement11' Service Name = 'MSSQLSERVER' SQL Instance Name = 'MSSQLSERVER'
Exception calling "Fill" with "1" argument(s): "The user does not have permission to perform this action."Error occured during CPU Usage for SQL Instances data source executing.
Computer:MHSSCOM01
Reason: Exception calling "Fill" with "1" argument(s): "The user does not have permission to perform this action."
also not getting Database information within the SQL Server instances for these SQL Server within "Instances Summary "
for resolution ,I have created a Run as account (windows)for SQL monitoring then associated it with Run as profile with SQL Server default account,Discovery account and Monitoring account and distribute it securely to each SQL Server health service object
.The run as account have added to local admin group on each SQL server.
How to resolved the event log error and how to get database information for all instances of sql server.
Thanks
RICHA

Hi,
It seems like that the action account that run the script does not have enough permissions on the monitored SQL server, I would like to suggest you follow the below link to check your runas account configuration:
http://blogs.technet.com/b/kevinholman/archive/2010/09/08/configuring-run-as-accounts-and-profiles-in-r2-a-sql-management-pack-example.aspx
And make sure the action account also have SQL admin account to the SQL server.
Here is also a link that may be helpful for you:
http://blogs.technet.com/b/momteam/archive/2014/05/12/kb-event-4001-in-the-operations-manager-log-during-sql-server-2012-monitoring.aspx
Regards,
Yan Li
Regards, Yan Li

PS script to save event logs

Similar Messages

Maybe you are looking for