Solved

get-winevent -path query

Posted on 2011-03-08
10
1,471 Views
Last Modified: 2012-05-11
hi Experts!

From a saved event log (of Application) I tried the following ps1 to select the evtx file:

function RemoveBlankSpaces ([string]$streng) {
        [string]$Temp = ((($streng -Replace "`r|`n|`t", "") -replace "\s{2,100}"," ") -replace "\s:",":").Trim()
        $Length = $Temp.length
        [int] $Limit = 950
        if ($length -gt $Limit) {
                return $temp.remove($Limit,($Length-$limit))
        } else {
                return $temp
        }
}
$out = @()
$evts = get-winevent -path "C:\Data\CustomLog\CustomLogapp01-07-2011@17-51-29.evtx"  
foreach($evt in $evts){
$mess = RemoveBlankSpaces($evt.Message)
#$out += "$($evt.ProvideName),$($EntryType),$($evt.TimeCreated),$mess"
$out += "$($evt.*)"
}
$out | out-file -filepath .\error.txt

Open in new window

However,

in the error.txt file I would get this:

,,12/29/2010 14:15:06,
,,12/29/2010 14:15:06,
,,12/29/2010 14:15:06,

The source name, error type and message are missing.

Any idea how to correct the script above?
0
Comment
Question by:allanau20
  • 7
  • 2
10 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 35083330

You have a typo for ProviderName (missing an R, you have ProvideName).

$EntryType is defined as a variable, and has no value in the script above. Did you mean $_.EntryType? And does that property actually exist in your output?

I can't really see a problem with $mess, it works for me.

I suggest you consider a structure like this though:
Get-WinEvent -path "C:\Data\CustomLog\CustomLogapp01-07-2011@17-51-29.evtx" |
  Select-Object ProviderName, EntryType, TimeCreated, @{n='Message';e={ RemoveBlankSpaces($_.Message) }} |
  Export-Csv "error.csv" -NoTypeInformation

Open in new window

Chris
0
 
LVL 5

Author Comment

by:allanau20
ID: 35085168
Super Chris; I will definitely try it and let you know. Thx!
0
 
LVL 5

Author Comment

by:allanau20
ID: 35086635
hi Chris,

I ran it and now I do see the ProviderName. However, the EntryType is blank and the Message is mostly blank. What I mean is that, and this is what I think, event messages that looks like it's on a single line does get displayed, but if it's broken into multiple lines then it doesn't get displayed.
Then again, I noticed that there might be some exception where the following has only first 4 lines displayed:

Event code: 3001
Event message: The request has been aborted.
Event time: 12/29/2010 7:42:50 AM
Event time (UTC): 12/29/2010 5:42:50 PM
Event ID: fec46fa7242247c1831f2e642274a764
Event sequence: 819
Event occurrence: 2
Event detail code: 0

Any ideas? TIA!!
0
 
LVL 5

Author Comment

by:allanau20
ID: 35086671
Hi Chris,

I even tried not using the message function and the results are the same:

  Select-Object ProviderName, EntryType, TimeCreated, Message  |
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 5

Author Comment

by:allanau20
ID: 35089810
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 35093219

EntryType doesn't exist as a property in the logs I have. I suggest you check that it does for yours with:

Get-WinEvent ... -MaxEvents 1 | Format-List *

Message... start by checking you can capture the message as normal, then it's time to test the function you've written. I didn't do a lot of testing there, it worked fine for the one example I tried, but it was only one.

Chris
0
 
LVL 5

Author Comment

by:allanau20
ID: 35203890
Hi,

Just want to let you know that I haven't forgotten this question; apparent Get-WinEvent doesn't work on me XP puter; so waiting for a R2 to being build. Will let you know. Thx!
0
 
LVL 5

Author Comment

by:allanau20
ID: 35494580
sorry; I haven't ababdon this question ... it's a pain waiting for the box to be built ...
0
 
LVL 5

Author Comment

by:allanau20
ID: 35494588
I will definite let you know ... and not abandon this question. Thanks!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

This article will help you understand what HashTables are and how to use them in PowerShell.
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
This video discusses moving either the default database or any database to a new volume.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now