?
Solved

get-winevent -path query

Posted on 2011-03-08
10
Medium Priority
?
1,520 Views
Last Modified: 2012-05-11
hi Experts!

From a saved event log (of Application) I tried the following ps1 to select the evtx file:

function RemoveBlankSpaces ([string]$streng) {
        [string]$Temp = ((($streng -Replace "`r|`n|`t", "") -replace "\s{2,100}"," ") -replace "\s:",":").Trim()
        $Length = $Temp.length
        [int] $Limit = 950
        if ($length -gt $Limit) {
                return $temp.remove($Limit,($Length-$limit))
        } else {
                return $temp
        }
}
$out = @()
$evts = get-winevent -path "C:\Data\CustomLog\CustomLogapp01-07-2011@17-51-29.evtx"  
foreach($evt in $evts){
$mess = RemoveBlankSpaces($evt.Message)
#$out += "$($evt.ProvideName),$($EntryType),$($evt.TimeCreated),$mess"
$out += "$($evt.*)"
}
$out | out-file -filepath .\error.txt

Open in new window

However,

in the error.txt file I would get this:

,,12/29/2010 14:15:06,
,,12/29/2010 14:15:06,
,,12/29/2010 14:15:06,

The source name, error type and message are missing.

Any idea how to correct the script above?
0
Comment
Question by:allanau20
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 2
10 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 35083330

You have a typo for ProviderName (missing an R, you have ProvideName).

$EntryType is defined as a variable, and has no value in the script above. Did you mean $_.EntryType? And does that property actually exist in your output?

I can't really see a problem with $mess, it works for me.

I suggest you consider a structure like this though:
Get-WinEvent -path "C:\Data\CustomLog\CustomLogapp01-07-2011@17-51-29.evtx" |
  Select-Object ProviderName, EntryType, TimeCreated, @{n='Message';e={ RemoveBlankSpaces($_.Message) }} |
  Export-Csv "error.csv" -NoTypeInformation

Open in new window

Chris
0
 
LVL 5

Author Comment

by:allanau20
ID: 35085168
Super Chris; I will definitely try it and let you know. Thx!
0
 
LVL 5

Author Comment

by:allanau20
ID: 35086635
hi Chris,

I ran it and now I do see the ProviderName. However, the EntryType is blank and the Message is mostly blank. What I mean is that, and this is what I think, event messages that looks like it's on a single line does get displayed, but if it's broken into multiple lines then it doesn't get displayed.
Then again, I noticed that there might be some exception where the following has only first 4 lines displayed:

Event code: 3001
Event message: The request has been aborted.
Event time: 12/29/2010 7:42:50 AM
Event time (UTC): 12/29/2010 5:42:50 PM
Event ID: fec46fa7242247c1831f2e642274a764
Event sequence: 819
Event occurrence: 2
Event detail code: 0

Any ideas? TIA!!
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 
LVL 5

Author Comment

by:allanau20
ID: 35086671
Hi Chris,

I even tried not using the message function and the results are the same:

  Select-Object ProviderName, EntryType, TimeCreated, Message  |
0
 
LVL 5

Author Comment

by:allanau20
ID: 35089810
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35093219

EntryType doesn't exist as a property in the logs I have. I suggest you check that it does for yours with:

Get-WinEvent ... -MaxEvents 1 | Format-List *

Message... start by checking you can capture the message as normal, then it's time to test the function you've written. I didn't do a lot of testing there, it worked fine for the one example I tried, but it was only one.

Chris
0
 
LVL 5

Author Comment

by:allanau20
ID: 35203890
Hi,

Just want to let you know that I haven't forgotten this question; apparent Get-WinEvent doesn't work on me XP puter; so waiting for a R2 to being build. Will let you know. Thx!
0
 
LVL 5

Author Comment

by:allanau20
ID: 35494580
sorry; I haven't ababdon this question ... it's a pain waiting for the box to be built ...
0
 
LVL 5

Author Comment

by:allanau20
ID: 35494588
I will definite let you know ... and not abandon this question. Thanks!
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick Powershell script I wrote to find old program installations and check versions of a specific file across the network.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question