Solved

Powershell query windows event log for %1 variables

Posted on 2011-10-01
9
647 Views
Last Modified: 2012-05-12
Hello

Event ID: 20272 logged in windows system event log, http://technet.microsoft.com/en-us/library/cc733849(WS.10).aspx 
The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11.

When viewwed in the event log appears as
CoID={DCF3376C-A901-4685-ACC5-698EAC5876B8}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request.

Question, the message does not contain the ":" colon character, is there a way in powershell to extract the %1 to %11 values with out assuming instring posistioning?

I have code in powershell to locate, read and export to csv. Looking for code to extract system entered values.

Thanks in advance.
0
Comment
Question by:hairylots
  • 4
  • 3
  • 2
9 Comments
 
LVL 69

Expert Comment

by:Qlemo
ID: 36898268
You  can use the following expression. $msg is the event log entry, $tpl the template as shown above.
$msg -match ($tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Open in new window

The last two lines show the original result, including the complete line as $matches[0], where the matches are displayed in reversed order, and how to access specific values.
0
 

Author Comment

by:hairylots
ID: 36898490
Hello Qlemo

Thanks for that responce, this approach is working except I missed one value from the string you have used as a template. Note the actual message has a value at the begining of the line: "CoID={DCF3376C-A901-4685-ACC5-698EAC5876B8}: ", this value appears to be randomly generated in the format of 43 characters: "CoID={random-string-of-numbers}: "
Message
-------
CoID={2BFA4324-66E9-49A3-984B-94747A711C62}:
CoID={35B2473E-17C9-497C-B16C-C145DA0BD7D0}:
CoID={DCF3376C-A901-4685-ACC5-698EAC5876B8}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:
CoID={E953708F-66BE-480D-94F6-B7FFB9D0AF56}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:
CoID={E953708F-66BE-480D-94F6-B7FFB9D0AF56}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:
CoID={E953708F-66BE-480D-94F6-B7FFB9D0AF56}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:

How can I modify the $tpl to deal with this startof string value?

Thanks in advance, your assitance is appreciated.
0
 

Author Comment

by:hairylots
ID: 36898706
Hello Qlemo

Found a workable solution but woudl prefer a better one if avaiable.

$tpl = "The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11."
$msg = "CoID={2BFA4324-66E9-49A3-984B-94747A711C62}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request."
$pos = $msg.IndexOf(" ")
$msg = $msg.Substring($pos+1)
$msg -match ($tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Thanks.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 9

Accepted Solution

by:
chrismerritt earned 500 total points
ID: 36899174
Slight modification:

$tpl = "The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11."
$msg = "CoID={2BFA4324-66E9-49A3-984B-94747A711C62}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request."
$msg = $msg.SubString($msg.IndexOf(":") + 2)
$msg -match ($tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Matching stuff looks cool, not played around with it before.

Though to be honest I am wondering why you don't simply query the event logs with WMI and utilise the built in functions to retrieve the values?

For example:

$Events = get-wmiobject -class win32_ntlogevent -computerName "ENTER COMPUTER NAME HERE" -filter "(EventCode=1221) and (LogFile='Application')"

foreach ($Event in $Events)
{
	$Event.InsertionStrings[0]
	$Event.InsertionStrings[1]
	$Event.InsertionStrings[2]
}

Open in new window


InsertionStrings is an array of items assigned to the Event.

Obviously you will need to change the above filter to work with your server, and pick the right log and eventid you are looking for.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 36899503
If that part is occuring with all your event log entries, then this is most simple:
$tpl = "The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11."
$msg = "CoID={2BFA4324-66E9-49A3-984B-94747A711C62}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request."
$msg -match ("CoID={.*}: " + $tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Open in new window

If you wonder why the CoID does not appear in $matches, while the other regular expression patterns do: I did not enclose them in parens (), so they are not grouped, and hence not stored in $matches.
0
 

Author Comment

by:hairylots
ID: 36991692
Sorry for the delay in responding.

Thansk to both recommendations. Wish I could understand the suggestion from Qlemo as it looks quite impressive. I did find suggestion from chrismerritt easier to work with tho.

Here is end result that displays desired report to cli.
========================
$strComputer="1.1.1.1"
$strHostName="hostname"

$promptpass = Read-Host -Assecurestring "Please enter a password"
$mycreds = New-Object System.Management.Automation.PSCredential ("dcdomainname\user.name", $promptpass)

$logfile = "System"
$EventCode = "20272"

$Events = get-wmiobject -computerName $strComputer -Credential $mycreds win32_ntlogevent -filter "(EventCode='$EventCode') and (LogFile='$logfile')"

foreach ($Event in $Events)
{
      for ($i=1; $i -le 11; $i++)
      {
            if ($i -lt 11)
            {$strMessage1 = $strMessage1 + $Event.InsertionStrings[$i] + ", "}
            else
            {$strMessage1 = $strMessage1 + $Event.InsertionStrings[$i]}
      }
      $strMessage1 = $strMessage1 + "`r`n"
      $strMessage2 = $strMessage2 + $strMessage1
}
$myCollection += $strMessage2
$myCollection
===============

Thanks again.
0
 

Author Closing Comment

by:hairylots
ID: 36991702
thanks
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 36993697
I agree that using WMI for this purpose is easier to work with, if you do not get the regular expression syntax right and understandable. RegExp isn't an easy-to-get topic ...
0
 
LVL 9

Expert Comment

by:chrismerritt
ID: 36994396
Glad my suggestion helped, I had the same problem when looking for whitespace events id's for exchange and the WMI stuff was really good for it :)
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this previous article (https://oddytee.wordpress.com/2016/05/05/provision-new-office-365-user-and-mailbox-from-exchange-hybrid-via-powershell/), we made basic license assignments to users in O365. When I say basic, the method is the simplest way …
This article will help you understand what HashTables are and how to use them in PowerShell.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question