PowerShell for Windows Admins

Apr 21 2012   4:56AM GMT

Scripting Games 2012 comments: #10 Advanced event 5



Posted by: Richard Siddaway
Tags:
PowerShell

http://blogs.technet.com/b/heyscriptingguy/archive/2012/04/06/2012-scripting-games-advanced-event-5-list-errors.aspx

This is the one I was asked to supply a commentary for

http://blogs.technet.com/b/heyscriptingguy/archive/2012/04/20/expert-commentary-2012-scripting-games-advanced-event-5.aspx

 

This one has raised an interesting interpretation issues.  The last design point asks:

  • Your output should be organized such that the largest source of errors appears at the top of the output.

The figure shows the data sorted by Event source  

 

I read the design point as log with the largest number of errors comes first.  The script I produced for the commentary doesn’t meet that last design point so I’ve revised it

#Requires -Version 2            
function Get-EventEntryCount{             
[CmdletBinding()]             
param (             
 [parameter(Position=0,            
   ValueFromPipeline=$true,             
   ValueFromPipelineByPropertyName=$true)]            
 [Alias("CN", "Computer")]              
 [string[]]$computername="$env:COMPUTERNAME",            
            
 [parameter(Position=1)]            
 [ValidateSet("Error", "Information", "FailureAudit", "SuccessAudit", "Warning", "All", "*")]            
 [string]$eventtype="Error"             
)             
BEGIN{            
  $currentUser = [Security.Principal.WindowsIdentity]::GetCurrent()            
  $testadmin = `
  (New-Object Security.Principal.WindowsPrincipal $currentUser).IsInRole(`
  [Security.Principal.WindowsBuiltinRole]::Administrator)            
              
  if (!$testadmin){            
   Throw "Must be run with elevated privileges"            
  }            
}#begin             
PROCESS{            
  foreach ($computer in $computername ){            
    switch ($computer) {            
     "."         {$computer="$env:COMPUTERNAME"}            
     "localhost" {$computer="$env:COMPUTERNAME"}            
    }            
            
    Write-Verbose "Processing computer: $computer"            
                
    $data = @()            
    if (Test-Connection -ComputerName $computer -Count 1 -Quiet){            
            
    Write-Verbose "Starting Remote Registry service on $computer"            
    $origrrsrv = Get-WmiObject -Class Win32_Service -Filter "Name='RemoteRegistry'" `
    -ComputerName $computer            
            
    if ($origrrsrv.StartMode -eq "Disabled") {            
      Set-Service -Name RemoteRegistry -ComputerName $computer -StartupType "Manual"            
    }            
            
    if ($origrrsrv.State -ne "Running") {            
      $origrrsrv.StartService() | Out-Null            
    }            
            
    Write-Verbose "Retrieving logs for $computer"            
                  
    Get-EventLog -List -ComputerName $computer |            
    foreach {            
      $log = $_.Log            
      Write-Verbose "Processing log: $log"            
                    
      if ($_.Entries.Count -gt 0) {            
         Write-Debug "Processing event type $eventtype"            
                      
         $n = Get-EventLog -LogName $($_.Log) -EntryType $eventtype -ComputerName $computer `
         -ErrorAction SilentlyContinue            
                      
         if ($n -ne $null){            
           Write-Debug "Entries found"            
           $n | group Source -NoElement |             
           foreach{            
                       
              $data += New-Object -TypeName PSObject -Property @{            
                 ComputerName = $computer            
                 LogName = $log            
                 EntryType = $eventtype            
                 EntrySource = $($_.Name)            
                 EntryCount = $($_.Count)            
             }            
           }            
         }            
       }  # end if entries            
       else {            
         Write-Verbose "$($computer): $log is empty"            
       }            
                    
            
        if ($origrrsrv.State -eq "Stopped") {            
          $origrrsrv.StopService() | Out-Null            
        }            
            
        if ($origrrsrv.StartMode -eq "Disabled") {            
          Set-Service -Name RemoteRegistry -ComputerName $computer -StartupType "Disabled"            
        }            
            
     } # end of log processing foreach            
   }            
   else {            
     Write-Warning "Cannot contact $computer"            
   } # end if ping            
   Write-Output $data             
 } ## end computer foreach            
}#process             
END{}#end            
            
<# 
.SYNOPSIS
Counts the number of entries of a given type
in the event logs of a system

.DESCRIPTION
One or more computers - from pipeline or parameter -  are
accessed to read the envent logs and count the entries of a 
given type. Empty logs are tested and the count is set to zero

.PARAMETER  computername
Name of computer for which log information
is to be retrieved

.PARAMETER  eventtype
Log entry type to count.
Accepted values are - 
"Error", "Information", "FailureAudit", 
"SuccessAudit", "Warning", "All", "*"

.EXAMPLE
Get-EventEntryCount 

Accesses logs on local machine. Peforms default display

.EXAMPLE
Get-EventEntryCount -computername "." | 
sort LogName, EntryCount -Descending | 
Format-Table EntrySource, EntryCount -GroupBy LogName

Accesses logs on local machine. Format display and group by logname

.EXAMPLE
"dc02", "webr201", "server02" | 
Get-EventEntryCount | 
sort Computer, LogName, EntryCount -Descending | 
Format-Table Logname, EntrySource, EntryCount -GroupBy Computer

Accesses logs on remote machines. Computer names accepted from pipeline.
Format display and group by computer

.EXAMPLE
Get-EventEntryCount -computername "dc02", "webr201", "server02" |
sort Computer, LogName, EntryCount -Descending | 
Format-Table Logname, EntrySource, EntryCount -GroupBy Computer

Accesses logs on remote machines. Computer names accepted as array.
Format display and group by computer

.INPUTS
Computer name - string or string array
Envent type - string. Must be member of set

.OUTPUTS
Returns a custom object with
properties:
ComputerName - name of computer
LogName - name of log
EntryType - Type of log entry
EntryCount - count of entries
EntrySource - event source

.NOTES


.LINK

#>            
            
}

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: