Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Powershell query windows event log for %1 variables

Posted on 2011-10-01
9
Medium Priority
?
684 Views
Last Modified: 2012-05-12
Hello

Event ID: 20272 logged in windows system event log, http://technet.microsoft.com/en-us/library/cc733849(WS.10).aspx 
The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11.

When viewwed in the event log appears as
CoID={DCF3376C-A901-4685-ACC5-698EAC5876B8}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request.

Question, the message does not contain the ":" colon character, is there a way in powershell to extract the %1 to %11 values with out assuming instring posistioning?

I have code in powershell to locate, read and export to csv. Looking for code to extract system entered values.

Thanks in advance.
0
Comment
Question by:hairylots
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 71

Expert Comment

by:Qlemo
ID: 36898268
You  can use the following expression. $msg is the event log entry, $tpl the template as shown above.
$msg -match ($tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Open in new window

The last two lines show the original result, including the complete line as $matches[0], where the matches are displayed in reversed order, and how to access specific values.
0
 

Author Comment

by:hairylots
ID: 36898490
Hello Qlemo

Thanks for that responce, this approach is working except I missed one value from the string you have used as a template. Note the actual message has a value at the begining of the line: "CoID={DCF3376C-A901-4685-ACC5-698EAC5876B8}: ", this value appears to be randomly generated in the format of 43 characters: "CoID={random-string-of-numbers}: "
Message
-------
CoID={2BFA4324-66E9-49A3-984B-94747A711C62}:
CoID={35B2473E-17C9-497C-B16C-C145DA0BD7D0}:
CoID={DCF3376C-A901-4685-ACC5-698EAC5876B8}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:
CoID={E953708F-66BE-480D-94F6-B7FFB9D0AF56}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:
CoID={E953708F-66BE-480D-94F6-B7FFB9D0AF56}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:
CoID={E953708F-66BE-480D-94F6-B7FFB9D0AF56}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:

How can I modify the $tpl to deal with this startof string value?

Thanks in advance, your assitance is appreciated.
0
 

Author Comment

by:hairylots
ID: 36898706
Hello Qlemo

Found a workable solution but woudl prefer a better one if avaiable.

$tpl = "The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11."
$msg = "CoID={2BFA4324-66E9-49A3-984B-94747A711C62}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request."
$pos = $msg.IndexOf(" ")
$msg = $msg.Substring($pos+1)
$msg -match ($tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Thanks.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 9

Accepted Solution

by:
chrismerritt earned 1500 total points
ID: 36899174
Slight modification:

$tpl = "The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11."
$msg = "CoID={2BFA4324-66E9-49A3-984B-94747A711C62}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request."
$msg = $msg.SubString($msg.IndexOf(":") + 2)
$msg -match ($tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Matching stuff looks cool, not played around with it before.

Though to be honest I am wondering why you don't simply query the event logs with WMI and utilise the built in functions to retrieve the values?

For example:

$Events = get-wmiobject -class win32_ntlogevent -computerName "ENTER COMPUTER NAME HERE" -filter "(EventCode=1221) and (LogFile='Application')"

foreach ($Event in $Events)
{
	$Event.InsertionStrings[0]
	$Event.InsertionStrings[1]
	$Event.InsertionStrings[2]
}

Open in new window


InsertionStrings is an array of items assigned to the Event.

Obviously you will need to change the above filter to work with your server, and pick the right log and eventid you are looking for.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 36899503
If that part is occuring with all your event log entries, then this is most simple:
$tpl = "The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11."
$msg = "CoID={2BFA4324-66E9-49A3-984B-94747A711C62}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request."
$msg -match ("CoID={.*}: " + $tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Open in new window

If you wonder why the CoID does not appear in $matches, while the other regular expression patterns do: I did not enclose them in parens (), so they are not grouped, and hence not stored in $matches.
0
 

Author Comment

by:hairylots
ID: 36991692
Sorry for the delay in responding.

Thansk to both recommendations. Wish I could understand the suggestion from Qlemo as it looks quite impressive. I did find suggestion from chrismerritt easier to work with tho.

Here is end result that displays desired report to cli.
========================
$strComputer="1.1.1.1"
$strHostName="hostname"

$promptpass = Read-Host -Assecurestring "Please enter a password"
$mycreds = New-Object System.Management.Automation.PSCredential ("dcdomainname\user.name", $promptpass)

$logfile = "System"
$EventCode = "20272"

$Events = get-wmiobject -computerName $strComputer -Credential $mycreds win32_ntlogevent -filter "(EventCode='$EventCode') and (LogFile='$logfile')"

foreach ($Event in $Events)
{
      for ($i=1; $i -le 11; $i++)
      {
            if ($i -lt 11)
            {$strMessage1 = $strMessage1 + $Event.InsertionStrings[$i] + ", "}
            else
            {$strMessage1 = $strMessage1 + $Event.InsertionStrings[$i]}
      }
      $strMessage1 = $strMessage1 + "`r`n"
      $strMessage2 = $strMessage2 + $strMessage1
}
$myCollection += $strMessage2
$myCollection
===============

Thanks again.
0
 

Author Closing Comment

by:hairylots
ID: 36991702
thanks
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 36993697
I agree that using WMI for this purpose is easier to work with, if you do not get the regular expression syntax right and understandable. RegExp isn't an easy-to-get topic ...
0
 
LVL 9

Expert Comment

by:chrismerritt
ID: 36994396
Glad my suggestion helped, I had the same problem when looking for whitespace events id's for exchange and the WMI stuff was really good for it :)
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Previously, on our Nano Server Deployment series, we've created a new nano server image and deployed it on a physical server in part 2. Now we will go through configuration.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question