Solved

Powershell query windows event log for %1 variables

Posted on 2011-10-01
9
641 Views
Last Modified: 2012-05-12
Hello

Event ID: 20272 logged in windows system event log, http://technet.microsoft.com/en-us/library/cc733849(WS.10).aspx 
The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11.

When viewwed in the event log appears as
CoID={DCF3376C-A901-4685-ACC5-698EAC5876B8}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request.

Question, the message does not contain the ":" colon character, is there a way in powershell to extract the %1 to %11 values with out assuming instring posistioning?

I have code in powershell to locate, read and export to csv. Looking for code to extract system entered values.

Thanks in advance.
0
Comment
Question by:hairylots
  • 4
  • 3
  • 2
9 Comments
 
LVL 69

Expert Comment

by:Qlemo
ID: 36898268
You  can use the following expression. $msg is the event log entry, $tpl the template as shown above.
$msg -match ($tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Open in new window

The last two lines show the original result, including the complete line as $matches[0], where the matches are displayed in reversed order, and how to access specific values.
0
 

Author Comment

by:hairylots
ID: 36898490
Hello Qlemo

Thanks for that responce, this approach is working except I missed one value from the string you have used as a template. Note the actual message has a value at the begining of the line: "CoID={DCF3376C-A901-4685-ACC5-698EAC5876B8}: ", this value appears to be randomly generated in the format of 43 characters: "CoID={random-string-of-numbers}: "
Message
-------
CoID={2BFA4324-66E9-49A3-984B-94747A711C62}:
CoID={35B2473E-17C9-497C-B16C-C145DA0BD7D0}:
CoID={DCF3376C-A901-4685-ACC5-698EAC5876B8}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:
CoID={E953708F-66BE-480D-94F6-B7FFB9D0AF56}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:
CoID={E953708F-66BE-480D-94F6-B7FFB9D0AF56}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:
CoID={E953708F-66BE-480D-94F6-B7FFB9D0AF56}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:

How can I modify the $tpl to deal with this startof string value?

Thanks in advance, your assitance is appreciated.
0
 

Author Comment

by:hairylots
ID: 36898706
Hello Qlemo

Found a workable solution but woudl prefer a better one if avaiable.

$tpl = "The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11."
$msg = "CoID={2BFA4324-66E9-49A3-984B-94747A711C62}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request."
$pos = $msg.IndexOf(" ")
$msg = $msg.Substring($pos+1)
$msg -match ($tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Thanks.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 9

Accepted Solution

by:
chrismerritt earned 500 total points
ID: 36899174
Slight modification:

$tpl = "The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11."
$msg = "CoID={2BFA4324-66E9-49A3-984B-94747A711C62}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request."
$msg = $msg.SubString($msg.IndexOf(":") + 2)
$msg -match ($tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Matching stuff looks cool, not played around with it before.

Though to be honest I am wondering why you don't simply query the event logs with WMI and utilise the built in functions to retrieve the values?

For example:

$Events = get-wmiobject -class win32_ntlogevent -computerName "ENTER COMPUTER NAME HERE" -filter "(EventCode=1221) and (LogFile='Application')"

foreach ($Event in $Events)
{
	$Event.InsertionStrings[0]
	$Event.InsertionStrings[1]
	$Event.InsertionStrings[2]
}

Open in new window


InsertionStrings is an array of items assigned to the Event.

Obviously you will need to change the above filter to work with your server, and pick the right log and eventid you are looking for.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 36899503
If that part is occuring with all your event log entries, then this is most simple:
$tpl = "The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11."
$msg = "CoID={2BFA4324-66E9-49A3-984B-94747A711C62}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request."
$msg -match ("CoID={.*}: " + $tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Open in new window

If you wonder why the CoID does not appear in $matches, while the other regular expression patterns do: I did not enclose them in parens (), so they are not grouped, and hence not stored in $matches.
0
 

Author Comment

by:hairylots
ID: 36991692
Sorry for the delay in responding.

Thansk to both recommendations. Wish I could understand the suggestion from Qlemo as it looks quite impressive. I did find suggestion from chrismerritt easier to work with tho.

Here is end result that displays desired report to cli.
========================
$strComputer="1.1.1.1"
$strHostName="hostname"

$promptpass = Read-Host -Assecurestring "Please enter a password"
$mycreds = New-Object System.Management.Automation.PSCredential ("dcdomainname\user.name", $promptpass)

$logfile = "System"
$EventCode = "20272"

$Events = get-wmiobject -computerName $strComputer -Credential $mycreds win32_ntlogevent -filter "(EventCode='$EventCode') and (LogFile='$logfile')"

foreach ($Event in $Events)
{
      for ($i=1; $i -le 11; $i++)
      {
            if ($i -lt 11)
            {$strMessage1 = $strMessage1 + $Event.InsertionStrings[$i] + ", "}
            else
            {$strMessage1 = $strMessage1 + $Event.InsertionStrings[$i]}
      }
      $strMessage1 = $strMessage1 + "`r`n"
      $strMessage2 = $strMessage2 + $strMessage1
}
$myCollection += $strMessage2
$myCollection
===============

Thanks again.
0
 

Author Closing Comment

by:hairylots
ID: 36991702
thanks
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 36993697
I agree that using WMI for this purpose is easier to work with, if you do not get the regular expression syntax right and understandable. RegExp isn't an easy-to-get topic ...
0
 
LVL 9

Expert Comment

by:chrismerritt
ID: 36994396
Glad my suggestion helped, I had the same problem when looking for whitespace events id's for exchange and the WMI stuff was really good for it :)
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this previous article (https://oddytee.wordpress.com/2016/05/05/provision-new-office-365-user-and-mailbox-from-exchange-hybrid-via-powershell/), we made basic license assignments to users in O365. When I say basic, the method is the simplest way …
A procedure for exporting installed hotfix details of remote computers using powershell
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question