Script to Export Pervious Day Events Logs to CSV

Similar Messages

• ICM Admin Script to export user variables to log file

  Hi,
  Is there a easy way to export/report the values of user variables to a file in ICM 7.x?
  These are global variables set in admin scripts for open/close flags and looking to see at a glance what the values of all the variables are at a given time throughout the day without having to monitor each script/etc that uses them.
  I was looking at maybe an admin script to write the values to a text file every x hours/minutes/etc but am kind of new to ICM scripting and not seeing a step there to do this and not sure if this is possible or if there is another way.
  Have a script where supervisors can force open/close different queues for reasons (weather, etc) and trying to add way to log when a change was made for historical purposes and troubleshooting just a text file or something easy.
  Thanks, Erick

  Only three years later but in case someone else is ever looking this should get you started. First, be sure your vars are set to persistent and replicated to an HDS. You can then extract this data from the Persistent_Variable data. It will require some joins to the User_Variable data to get a nice solid query. 

• Need Help to extract information from Windows Security Event log

  Hi Everyone,
  My challenge is to create a script that queries the Security event log for event id 4624 , logon type 2 and 10, then export the result to file, hopefully tab limited.
  I need the time - date - User Account - Workstation - IP address - Logon Type.
  I have had a go, checking out other advice from other questions, but i'm just not getting what I want.
  Kind regards,
  Andrew

  A good point to start is get-eventlog with where clauses.
  For example:
  get-eventlog -log security  | where {$_.eventID -eq 4624}
  So you want to get the entire security log, and then filter it client side? (Some of these logs can be massive).
  I would recommend Get-WinEvent with -FilterHashTable (Filter on the left) which will filter against the log directly.
  http://blogs.technet.com/b/heyscriptingguy/archive/2011/01/24/use-powershell-cmdlet-to-filter-event-log-for-easy-parsing.aspx
  You might have admin rights issues accessing the security logs.
  You're right - my answer was only a first step to try "get-command *event" and eventually get-help.....

• Clear Event log

  Hi all,
  We have almost 1500 clients (win7 system) in LAN environment and our requirement was we need to clear event logs older than 7 day's in all client system,
  Pls confirm and group policy or script available for that.
  Thanks, Mariappan Shanmugavel

  Greetings!
  I am not sure if it is practical to have a script to search for old event logs and clear them. Also it may create performance issues because the event logs should be queried and check conditions for that, then move for removal process. Why not to use retention
  for this? configure retention for 7 days and there will be no log older that that.
  Event Logging policy settings in Windows Server 2008 and Vista
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Export all Errors and warnings event logs from Application, security and system for last 24 hours and send it to IT administrators.

  Dear Team,
  I want a powershell script to export servers event logs into excel and it send that file to IT administrators.
  Excel format:
  Server Name, Log Name, Time, Source, Event ID and Message.
  Require logs:  
  Application, Security, System, DFS Replication and Directory service.
  And these excel file has to be send to Email address.
   And it would be good, if i get a script same for Hard disk space and RAM and CPU utilization.

  Here are some examples:
  http://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=logs&f%5B0%5D.Text=Logs%20and%20monitoring&f%5B1%5D.Type=SubCategory&f%5B1%5D.Value=eventlogs&f%5B1%5D.Text=Event%20Logs
  ¯\_(ツ)_/¯

• VB Scripting to monitor application event log based on specific words.

  Hi All,
  I Have written, vb script to monitor application event log based on specific word in the message. when I have included same script in monitor, after running this script at specific time once in day, I am getting run time error in the server, where it
  supposed to run, could you please check the command where I have highlighted in below script.
  Dim VarSize
  Dim objMOMAPI
  Dim objBag
  Set objMOMAPI = CreateObject("MOM.ScriptAPI")
  Set objBag = objMOMAPI.CreateTypedPropertyBag(StateDataType)
  Set objFSO = CreateObject("Scripting.FileSystemObject")
  Const CONVERT_TO_LOCAL_TIME = True
  Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
  dtmStartDate.SetVarDate dateadd("n", -1440, now)' CONVERT_TO_LOCAL_TIME
  strComputer = "."
  Set objWMIService = GetObject("winmgmts:" _
   & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
  Set colLoggedEvents = objWMIService.ExecQuery _
   ("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Application' AND " _
   & "EventCode = '100'")
  For Each objEvent in colLoggedEvents
  If InStr(LCase(colLoggedEvents.Message), "Message :Application A3 has been successfully processed for today") Then
  X= "Success"
  end if
  Next
  if X="Success" then
  call objBag.AddValue("State","GOOD")
  call objMOMAPI.Return(objBag)
  wscript.quit()
  Else
  call objBag.AddValue("State","BAD")
  call objMOMAPI.Return(objBag)
  wscript.quit()
  End If

  By programming standards since as long as I can remember the use of the value of a variable to detect its Boolean state has been used.
  Cast your mind back to strongly typed languages, e.g. Pascal.
  I'll cast back to the very early days of the "C" language where all variables could be treated as "bool" without a cast. The is no more strongly type language than "C". "C" practically invented the standards for all modern languages. 
  When I was writin machine language we also used zero as false but many machines only  tested the high bit for truthieness.  The HP machines and Intel allowed a test to aggregate to the sign bit.  Adding that flag to the test alloed tru for
  an numeric value that was non-zero.  A boool test was also used for a negative e switch.  If you study micro language implementation you will find that this hardware design and the companion compiler design is ... well... by design.  It is a
  way of improving the completeness and usefulness of an instruction set.
  Other langauges may require further decoration due to some mistaken desire to be better than perfect. That is like trying to change number theory by renaming addition to be "gunking" and forcing everyone to use multiplication when adding the same number
  more than once.  A Boolean test os a test of the flag bit with to without aggregation.    Even if we test a bit in a word we still mask and aggregate.  It is always the most primitive operation.  It is also the most useful
  operation when you finally realize that it is like an identity in math.
  Use the language features that are designed in. They can help to make code much more flexible and logical.
  By the way, Pascal also treats everything as Boolean when asked to.
  ¯\_(ツ)_/¯

• PS script to save event logs

   
  Hi,
  I want to create a PS script which will pick the server name from a text file and save the event logs one by one of all the server with server name in a shared folder in network
  For this I tried to create below code, but not successful. I know there are some silly mistake in this code which i m not able to identify
  Please help me because I’m new in scripting and have very little knowledge about this.
  ==================
  $Computer_Name = Get-Content \\sharepath\name.txt
  $logfile = ForEach ($Computer_Name)
  Get-WmiObject -Class win32_NTEventlogFile  -Filter "logFileName='Application'"
  $logfile.ClearEventlog('Sharepath\%computername%_Application_Logs.evt')
  ========================

  Thanks !!!
  The share path is working fine.
  If I am running the below script it will save the logs files of local computer to the shared drive with computer name.
  ==============
  $logfile = Get-WmiObject -Class win32_NTEventlogFile  -Filter "logFileName='Application'"
  $logfile.ClearEventlog('\\sharepath\%computername%_Application_Logs.evt')
  ================
  Now, I want to create a script which will pick the server name from a text file and save that to a shared folder with respective computer name.
  Also, is there any way to SAVE AS the log files rather than clearing the logs ?
  You can export the logs using Get-EventLog and Export-Csv  Get-EventLog can specify a filter of -after and -before to set a date range.
  Help get-eventlog -full
  You can specify an array or file of computer names on the commandline.  You can specify credentials on the commandline.
  You can also save eventlogs in their entirety but that is not a good practice as it produces too much overlap.
  I suggest that weekly extractions ican be managed on an overnight basis. Monthly extracts are likely to take too much time.
  LogParser is much better at extracting Eventlogs in many formats.
  Logs should beset to rol lover on a size basis.  I use 32 and 64 megabytes on bsic systems and much larger on busier systems.   like to have a year online if possible.
  ¯\_(ツ)_/¯

• Login / out history extraction from 2008R2 Event Logs with a PowerShell script?

  Hi folks,
  I think I'm asking something similar to a few other posts, but instead of hijacking their threads, I thought I'd start my own.
  As the subject suggests, I'm trying to extract from a 2008R2 server's Event logs a table of users and their respective login / out events. Not just asking AD for their last login times, but a list of login / out events.
  So far, I'm using:
  Get-EventLog -logname security -Newest 1000 | where {$_.eventID -eq 4624 -or 4634 }
  but the list is long, and contains host authentication connections as well as users. I believe I need something like the ability to filter on "user is domain user", or "user is not a computer", or similar, and then pipe it to Export-CSV,
  but the data is not a CSV file, but more like Text. ie:
  Index : 87290035
  EntryType : SuccessAudit
  InstanceId : 5156
  Message : The Windows Filtering Platform has permitted a connection.
  Application Information:
  Process ID: 1688
  Application Name: \device\harddiskvolume2\windows\system32\dns.exe
  Network Information:
  Direction: %%14592
  Source Address: 192.168.xx.xx
  Source Port: 53
  Destination Address: 192.168.xx.xx
  Destination Port: 44242
  Protocol: 17
  Filter Information:
  Filter Run-Time ID: 66055
  Layer Name: %%14610
  Layer Run-Time ID: 44
  Category : (12810)
  CategoryNumber : 12810
  ReplacementStrings : {1688, \device\harddiskvolume2\windows\system32\dns.exe, %%14592, 192.168.xx.xx...}
  Source : Microsoft-Windows-Security-Auditing
  TimeGenerated : 28/01/2011 4:46:35 PM
  TimeWritten : 28/01/2011 4:46:35 PM
  UserName :
  Why is that even coming up as a result?
  Ideally, I would like a CSV file containing these columns:
  User,timestamp,computer,logon/off
  I've thought about adding a script to the Group Policy where it runs on local machines and appends details to a file on a network share, but I think I would prefer to run this locally, perhaps periodically as a script.
  -- Ebor Administrator

  Thanks Matthew for the links. While I was initially thinking that's looking rather complicated, and my solution was simplistic in comparison, I'm finding (with no surprises, really) that things can get rather complicated quickly. If only parsing was easier
  (or if only they didn't use "Here-Strings" instead, using normal Strings... </grumble>), as it's now looking at almost ten lines (mostly for readability).
  In short, I'm now looking at:
  Get-ADUser -Filter * -SearchBase "OU=Users,OU=Ebor Computing,DC=Ebor,DC=Local" | Sort-Object | ForEach-Object -Process {
  $UserName = $_.SamAccountName
  $MsgQuery="*" + $UserName + "*"
  $EventID = $_.EventID
  $Events = Get-EventLog -logname security -Message $MsgQuery | where {$_.EventID -eq 4624 -or $_.EventID -eq 4634} | ForEach-Object -Process {
  $SrcAddr = "Unknown"
  $idx = $_.message.IndexOf("Source Network Address:")
  if ($idx -gt 0) {$SrcAddr = $_.message.substring($idx+23,15).trim()}
  $UserName+","+$SrcAddr+","+$EventID+","+$_.TimeGenerated | Out-File -FilePath $UserName"_login_events.csv" -Append
  Eeuuw... don't know why that was parsed as it was above... Either way, this takes a very long time, but gives a separate file for each user and goes back the entire length of the Event Log's history for reporting purposes.
  Noting that I had to query AD for the users thus has to run from the AD Powershell, instead of the normal PS, as I don't know the appropriate module load command to get a normal PS to work with AD. Keeping this limitation in mind, I think it works, but needs
  some tweaking for formatting and output I think.
  I'm tempted to create an RODC for this to run on, but what else does the DC do, really? May as well warm up the CPU for an hour or so ;-) I guess one of the improvements could be to determine if the cycles are being taken up with poor String parsing, or
  with AD querying. Another would be to add some comments... ;-)
  -- Ebor Administrator

• SCOM 2012 R2 Exchange Correlation Service , we receive almost at every day in the Event log Application the Event720

  HI
  Since the SCOM was Upgrade to R2 
  Almost at every Day, we receive in the Event log application the Event 720 from the correlation service Source MSExchangeMonitoring Correlation
  This arrives always around 7:20AM, someday is at 7:19, other at 7:21. It is always approximately at the same hour, but we never have any problem during weekend
  The description of the Event
  Exceeded maximum time (15 minutes) to wait for completion of all CorrelateBatchTask threads.
  After that the correlation stop to work. At the Same time if we tried to open the SCOM Console on that server we was unable to open it. Also we was not able to open the SCOM PowerShell
  And also we cannot from that server to get which server is the RMS if we run get-SCOMRMSEmulator .  (This the RMS Server)
  When this arrive, the only thing we found, it to reboot the server or restart de SCOM service, after the Reboot the Correlation begin to work
  We got also many Event 714 Critical and after this Event 711 Warning
  Thank

  Have a look at: https://social.technet.microsoft.com/Forums/systemcenter/en-US/e75e84d9-0c9e-4d83-b3da-45a143757f85/exchange-2010-monitoring-with-scom-2012-correlation-service-issue
  One user reported an issue with the exchange correlation engine after upgrade and said that:
  I had issues with the corellation engine after upgrading scom 2012 to R2.
  The MomBidLdr.dll version changed in the SCOM directories, and needs to be updated in the:
  C:\Program Files\Microsoft\Exchange Server\v14\Bin directory.
  That seemed to stop the errors for me.
  Some troubleshooting steps listed here also:
  https://technet.microsoft.com/en-us/library/ff360495(v=exchg.140).aspx
  Cheers,
  Martin
  Blog:
  http://sustaslog.wordpress.com 
  LinkedIn:
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Export dump file and log file  name as sysdate in script

  Hi to All,
  Can anybody help me to give logical backup export dump file namd log file name is as contain sysdate in its name so that we can Uniquelly identified it.
  Regards
  DXB_DBA

  On windows it gets a bit hairy as there really is no clean and nice way of doing it.There are a couple of options.
  1. If you can rely on dateformat not changing, you can use a static substring expression. For example, the following might work w/ finnish locale echo %date:~3,2%%date:~6,2%%date:~9,4%Similarly, when you know the dateformat you can tokenize the output of 'date /t' and discard the tokens you don't want.
  2. You can set dateformat to your liking and then just use %date% in your script
  3. You can run a "SELECT to_char(sysdate,..." into a file and then read that file in your script.
  4. Simon Sheppard also has a solution you could use as a basis. I have a slight issue with the approach, but that could just be me.
  5. Use gnuwin32 or similar ;)
  Also note that %date% env var is set automatically from w2k onwards, so some of the solutions might not work w/ older versions.

• Can I list/export more than 3-4 all-day events

  Hi:
  I need a way to list more than 4 all-day events in the monthly view. The three dots up above mean they will list in the daily/weekly view but this does me no good.
  I also wonder if you can export to .pdf more than 3 all-day events. Why is this not possible? It's a severe limitation, and I find too many of these with Mac's stuff. Close, but something silly always gets in the way. I am almost over it.
  please help if you can. Much obliged,
  ms

  Hi Mark,
  As far as I know, there isn't a way to show more than three all-day events in iCal's Month view.
  You could make a PDF of the month in List view. This should show all of your events. In month view choose Print. In the dialog change the view from Month to List.
  Hope this helps.
  John M

• PowerShell - Mining Remote Event Log / Hanging...

  I'm mining remote event logs on multiple machines to find a series of events.  I've put together a script that requests the event log name and start date (earliest date to begin the log export).
  For some reason, the process seems to hang after writing to the file and not proceed to the next machine.
  If someone could peek at this script and tell me if I missed something obvious, I'd greatly appreciate it.
  # Event Log Check
  # Get list of computers from specified file
  $machines = get-content -path "C:\Command Prompt\CheckEvent_NETLOGON\ComputerList.txt"
  $LogName = read-host "Enter Log Name to Query"
  $startdate = read-host "Enter Start Date (mm/dd/yy)"
  # Begin Looping through File
  $count =2
  foreach ($machine in $machines)
  $enddate = get-date
  $shortend = get-date -format MM-dd-yy.HH.mm
  $machinename = (Get-WmiObject win32_computersystem -ComputerName $machine).Name
  write-host "Starting $machine query."
  Get-Eventlog -Logname $LogName -ComputerName $machine -after $startdate -before $enddate | select TimeGenerated,MachineName,EventID,Source,UserName | export-csv -delimiter "`t" -path "C:\Command Prompt\CheckEvent_NETLOGON\results\$machinename.$logname.$shortend.ttx"
  write-host "$machine complete. Next..."
  $count++
  Thanks so much!
  Ben Adler

  These two lines were wrong:
  $enddate = get-date
  $shortend = get-date
  -format MM-dd-yy.HH.mm
  You may also need to check the date format.
  I would use an interval.  Ask for how many days to retrieve and calculate
  $numdays=7
  $before=[datetime]::Today
  $after=$before.AddDays(-$numdays)
  If you are all Vista or later use Get-WinEvent.  It is faster and indexes most values.
  \_(ツ)_/

• Seemingly successful install of Exchange 2013 SP1 turns into many errors in event logs after upgrade to CU7

  I have a new Exchange 2013 server with plans to migrate from my current Exchange 2007 Server. 
  I installed Exchange 2013 SP1 and the only errors I saw in the event log seemed to be long standing known issues that did not indicate an actual problem (based on what I read online). 
  I updated to CU7 and now lots of errors have appeared (although the old ones seem to have been fixed so I have that going for me). 
  Currently the Exchange 2013 server is not in use and clients are still hitting the 2007 server.
  Issue 1)
  After each reboot I get a Kernel-EventTracing 2 error.  I cannot find anything on this on the internet so I have no idea what it is.
  Session "FastDocTracingSession" failed to start with the following error: 0xC0000035
  I did read other accounts of this error with a different name in the quotes but still can’t tell what this is or where it is coming from.
  Issue 2)
  I am still getting 5 MSExchange Common 106 errors even after reregistering all of the perf counters per this page:
  https://support.microsoft.com/kb/2870416?wa=wsignin1.0
  One of the perf counters fails to register using the script from the link above.
  66 C:\Program Files\Microsoft\Exchange Server\V15\Setup\Perf\InfoWorkerMultiMailboxSearchPerformanceCounters.xml
  New-PerfCounters : The performance counter definition file is invalid.
  At C:\Users\administrator.<my domain>\Downloads\script\ReloadPerfCounters.ps1:19 char:4
  +    New-PerfCounters -DefinitionFileName $f
  +    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo         
  : InvalidData: (:) [New-PerfCounters], TaskException
      + FullyQualifiedErrorId : [Server=VALIS,RequestId=71b6bcde-d73e-4c14-9a32-03f06e3b2607,TimeStamp=12/18/2014 10:09:
     12 PM] [FailureCategory=Cmdlet-TaskException] 33EBD286,Microsoft.Exchange.Management.Tasks.NewPerfCounters
  But that one seems unrelated to the ones that still throw errors. 
  Three of the remaining five errors are (the forum is removing my spacing between the error text so it looks like a wall of text - sorry):
  Performance counter updating error. Counter name is Count Matched LowFidelity FingerPrint, but missed HighFidelity FingerPrint, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The
  exception thrown is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Performance counter updating error. Counter name is Number of items, item is matched with finger printing cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown
  is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Performance counter updating error. Counter name is Number of items in Malware Fingerprint cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown is : System.InvalidOperationException:
  The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Issue 3)
  I appear to have some issues related to the healthmailboxes. 
  I get MSExchangeTransport 1025 errors for multiple healthmailboxes.
  SMTP rejected a (P1) mail from 'HealthMailbox23b10b91745648819139ee691dc97eb6@<my domain>.local' with 'Client Proxy <my server>' connector and the user authenticated as 'HealthMailbox23b10b91745648819139ee691dc97eb6'. The Active Directory
  lookup for the sender address returned validation errors. Microsoft.Exchange.Data.ProviderError
  I reran setup /prepareAD to try and remedy this but I am still getting some.
  Issue 4)
  I am getting an MSExchange RBAC 74 error. 
  (Process w3wp.exe, PID 984) Connection leak detected for key <my domain>.local/Admins/Administrator in Microsoft.Exchange.Configuration.Authorization.WSManBudgetManager class. Leaked Value 1.
  Issue 5)
  I am getting MSExchange Assistants 9042 warnings on both databases.
  Service MSExchangeMailboxAssistants. Probe Time Based Assistant for database Database02 (c83dbd91-7cc4-4412-912e-1b87ca6eb0ab) is exiting a work cycle. No mailboxes were successfully processed. 2 mailboxes were skipped due to errors. 0 mailboxes were
  skipped due to failure to open a store session. 0 mailboxes were retried. There are 0 mailboxes in this database remaining to be processed.
  Some research suggested this may be related to deleted mailboxes however I have never had any actual user mailboxes on this server. 
  If they are healthmailboxes or arbitration mailboxes that might make sense but I am unsure of what to do on this.
  Issue 6)
  At boot I am getting an MSExchange ActiveSync warning 1033
  The setting SupportedIPMTypes in the Web.Config file was missing. 
  Using default value of System.Collections.Generic.List`1[System.String].
  I don't know why but this forum is removing some of my spacing that would make parts of this easier to read.

  Hi Eric
  Yes I have uninstalled and reinstalled Exchange 2013 CU7 for the 3^rd time. 
  I realize you said one issue per forum thread but since I already started this thread with many issues I will at least post what I have discovered on them in case someone finds their way here from a web search.
  I have an existing Exchange 2007 server in the environment so I am unable to create email address policies that are defined by “recipient container”. 
  If I try and do so I get “You can't specify the recipient container because legacy servers are detected.”
   So I cannot create a normal email address policy and restrict it to an OU without resorting to some fancy filtering. 
  Instead what I have done is use PS to modify extensionAttribute1 (otherwise known as Custom Attribute 1 to exchange) for all of my users. 
  I then applied an address policy to them and gave it the highest priority. 
  Then I set a default email address policy for the entire organization. 
  After reinstalling Exchange all of my system mailboxes were created with the internal domain name. 
  So issue number 3 above has not come up. 
  For issue number one above I have created a new thread:
  https://social.technet.microsoft.com/Forums/office/en-US/7eb12b89-ae9b-46b2-bd34-e50cd52a4c15/microsoftwindowskerneleventtracing-error-2-happens-twice-at-boot-ex2013cu7?forum=exchangesvrdeploy
  For issue number four I have posted to this existing thread where there is so far no resolution:
  https://social.technet.microsoft.com/Forums/exchange/en-US/2343730c-7303-4067-ae1a-b106cffc3583/exchange-error-id-74-connection-leak-detected-for-key?forum=exchangesvradmin
  Issue number Five I have managed to recreate and get rid of in more than one way. 
  If I create a new database in ECP and set the database and log paths where I want, then this error will appear. 
  If I create the database in the default location and then use EMS to move it and set the log path, then the error will not appear. 
  The error will also appear (along with other errors) if I delete the health mailboxes and let them get recreated by restarting the server or the Health Manager service. 
  If I then go and set the retention period for deleted mailboxes to 0 days and wait a little while, these will all go away. 
  So my off hand guess is that these are caused by orphaned system mailboxes.
  For issue number six I have posted to this existing thread where there is so far no resolution:
  https://social.technet.microsoft.com/Forums/exchange/en-US/dff62411-fad8-4d0c-9bdb-037374644845/event-1033-msexchangeactivesync-warning?forum=exchangesvrmobility
  So for the remainder of this thread we can try and tackle issue number two which is the perf counters. 
  The exact same 5 perf counter were coming up and this had been true each time I have uninstalled and reinstalled Exchange 2013CU7. 
  Actually to be more accurate a LOT of perf counter errors come up after the initial install, but reloading the perf counters using the script I posted above reduces it to the same five. 
  Using all of your suggestions so far has not removed these 5 remaining errors either.  Since there is no discernible impact other than these errors at boot I am not seriously bothered by them but as will all event log errors, I would prefer
  to make them go away if possible.

• System Events Log growing in size

  My Imac is 4 months old & the Syatem Events Log is already 10 meg. in size. I have this feeling that because of it Imac starting time slightly increased (I switch off at nights).
  I tried utilities like maintenance & Onyx to delete the file without success. Is there a way to delete it? What will happen if I trash it manually?
  Appreciate any suggestion.

  OS X will automatically compress and discard old logs, IF you let it run during the night, or if you put it to sleep during the night. If you do a cold restart every morning, OS X won't automatically run the cleanup scripts.
  If you like to power it off when not in use, do the following:
  - on an admin account, open Terminal
  - enter 'sudo periodic daily weekly monthly', without the quotes, then press return. You will be asked for your admin password.
  - wait a few minutes until the command completes
  This will force the OS X maintenance scripts to run. It's not critical how often you do this, but once per month will be OK.
  Alternatively, there is a way to reschedule the daily, weekly and monthly scripts to run during the day.

• How to display system security events logs in Cisco router 4980

  Hi,
  in order to perform acceptance tests following the installation of a Cisco 4980 router cluster, I need to verify that any system security events are logged and I can diplay them on the CLI output (for example with the #show logging command).
  By system security events logs, I mean for example bad authentification on the switch, creation/deletion/modification of a user accoount, telnet connexion attempt while this protocol is not allowed, etc...
  With the #show logging command, I have security events related to  access-list, or configuration changes (even if these ones are not  really verbose on waht have been changed), but no "system" security  events.
  Here is my logging initial logging configuration on these routers:
  logging rate-limit 1 except errors
  logging console critical
  logging monitor critical
  But I also tried like this:
  logging rate-limit 1 except errors
  logging console informational
  logging monitor critical
  logging history informational
  logging facility auth
  But exactly the same result...
  Is this feature exist or not ?
  If yes, how to configure it ?
  Thanks.
  Julien

  Here is a script that will copy the previous days events and save them to "C:\". The file name be yesterdays date ex "04-18-2010-Events.csv"
  Const strComputer = "."
  Dim objFSO, objWMIService, colEvents, objEvent, outFile
  Dim dtmStartDate, dtmEndDate, DateToCheck, fileDate
  Set objFSO = CreateObject("Scripting.FileSystemObject")
  Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
  Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
  'change the date form "/" to "-" so it can be used in the file name
  fileDate = Replace(Date - 1,"/","-")
  Set outFile = objFSO.CreateTextFile("C:\" & fileDate & "-Events.csv",True)
  DateToCheck = Date - 1
  dtmEndDate.SetVarDate Date, True
  dtmStartDate.SetVarDate DateToCheck, True
  Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
  Set colEvents = objWMIService.ExecQuery _
  ("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
  & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
  For each objEvent in colEvents
  outFile.WriteLine String(100,"-")
  outFile.WriteLine "Category = " & objEvent.Category
  outFile.WriteLine "ComputerName = " & objEvent.ComputerName
  outFile.WriteLine "EventCode = " & objEvent.EventCode
  outFile.WriteLine "Message = " & objEvent.Message
  outFile.WriteLine "RecordNumber = " & objEvent.RecordNumber
  outFile.WriteLine "SourceName = " & objEvent.SourceName
  outFile.WriteLine "TimeWritten = " & objEvent.TimeWritten
  outFile.WriteLine "Type = " & objEvent.Type
  outFile.WriteLine "User = " & objEvent.User
  outFile.WriteLine String(100,"-")
  Next
  outFile.Close
  MsgBox "Finished!"
  v/r LikeToCode....Mark the best replies as answers.