Solved

Powershell query windows event log for %1 variables

Posted on 2011-10-01
9
626 Views
Last Modified: 2012-05-12
Hello

Event ID: 20272 logged in windows system event log, http://technet.microsoft.com/en-us/library/cc733849(WS.10).aspx
The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11.

When viewwed in the event log appears as
CoID={DCF3376C-A901-4685-ACC5-698EAC5876B8}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request.

Question, the message does not contain the ":" colon character, is there a way in powershell to extract the %1 to %11 values with out assuming instring posistioning?

I have code in powershell to locate, read and export to csv. Looking for code to extract system entered values.

Thanks in advance.
0
Comment
Question by:hairylots
  • 4
  • 3
  • 2
9 Comments
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
You  can use the following expression. $msg is the event log entry, $tpl the template as shown above.
$msg -match ($tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Open in new window

The last two lines show the original result, including the complete line as $matches[0], where the matches are displayed in reversed order, and how to access specific values.
0
 

Author Comment

by:hairylots
Comment Utility
Hello Qlemo

Thanks for that responce, this approach is working except I missed one value from the string you have used as a template. Note the actual message has a value at the begining of the line: "CoID={DCF3376C-A901-4685-ACC5-698EAC5876B8}: ", this value appears to be randomly generated in the format of 43 characters: "CoID={random-string-of-numbers}: "
Message
-------
CoID={2BFA4324-66E9-49A3-984B-94747A711C62}:
CoID={35B2473E-17C9-497C-B16C-C145DA0BD7D0}:
CoID={DCF3376C-A901-4685-ACC5-698EAC5876B8}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:
CoID={E953708F-66BE-480D-94F6-B7FFB9D0AF56}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:
CoID={E953708F-66BE-480D-94F6-B7FFB9D0AF56}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:
CoID={E953708F-66BE-480D-94F6-B7FFB9D0AF56}:
CoID={ED43C659-D7AE-49AD-9169-FC2168656290}:

How can I modify the $tpl to deal with this startof string value?

Thanks in advance, your assitance is appreciated.
0
 

Author Comment

by:hairylots
Comment Utility
Hello Qlemo

Found a workable solution but woudl prefer a better one if avaiable.

$tpl = "The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11."
$msg = "CoID={2BFA4324-66E9-49A3-984B-94747A711C62}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request."
$pos = $msg.IndexOf(" ")
$msg = $msg.Substring($pos+1)
$msg -match ($tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Thanks.
0
 
LVL 9

Accepted Solution

by:
chrismerritt earned 500 total points
Comment Utility
Slight modification:

$tpl = "The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11."
$msg = "CoID={2BFA4324-66E9-49A3-984B-94747A711C62}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request."
$msg = $msg.SubString($msg.IndexOf(":") + 2)
$msg -match ($tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Matching stuff looks cool, not played around with it before.

Though to be honest I am wondering why you don't simply query the event logs with WMI and utilise the built in functions to retrieve the values?

For example:

$Events = get-wmiobject -class win32_ntlogevent -computerName "ENTER COMPUTER NAME HERE" -filter "(EventCode=1221) and (LogFile='Application')"

foreach ($Event in $Events)
{
	$Event.InsertionStrings[0]
	$Event.InsertionStrings[1]
	$Event.InsertionStrings[2]
}

Open in new window


InsertionStrings is an array of items assigned to the Event.

Obviously you will need to change the above filter to work with your server, and pick the right log and eventid you are looking for.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
If that part is occuring with all your event log entries, then this is most simple:
$tpl = "The user: %1 connected on port: %2 on: %3 at: %4 and disconnected on: %5 at: %6. The user was active for: %7 minutes %8 seconds. %9 bytes were sent and %10 bytes were received. The reason for disconnecting was: %11."
$msg = "CoID={2BFA4324-66E9-49A3-984B-94747A711C62}: The user domain\first.last connected on port VPN2-127 on 1/10/2011 at 7:53 PM and disconnected on 1/10/2011 at 9:13 PM.  The user was active for 80 minutes 33 seconds.  19113013 bytes were sent and 2478245 bytes were received. The reason for disconnecting was user request."
$msg -match ("CoID={.*}: " + $tpl -split ":* %\d+" -join " (.*)")
$matches
$matches[1..($matches.count-1)]

Open in new window

If you wonder why the CoID does not appear in $matches, while the other regular expression patterns do: I did not enclose them in parens (), so they are not grouped, and hence not stored in $matches.
0
 

Author Comment

by:hairylots
Comment Utility
Sorry for the delay in responding.

Thansk to both recommendations. Wish I could understand the suggestion from Qlemo as it looks quite impressive. I did find suggestion from chrismerritt easier to work with tho.

Here is end result that displays desired report to cli.
========================
$strComputer="1.1.1.1"
$strHostName="hostname"

$promptpass = Read-Host -Assecurestring "Please enter a password"
$mycreds = New-Object System.Management.Automation.PSCredential ("dcdomainname\user.name", $promptpass)

$logfile = "System"
$EventCode = "20272"

$Events = get-wmiobject -computerName $strComputer -Credential $mycreds win32_ntlogevent -filter "(EventCode='$EventCode') and (LogFile='$logfile')"

foreach ($Event in $Events)
{
      for ($i=1; $i -le 11; $i++)
      {
            if ($i -lt 11)
            {$strMessage1 = $strMessage1 + $Event.InsertionStrings[$i] + ", "}
            else
            {$strMessage1 = $strMessage1 + $Event.InsertionStrings[$i]}
      }
      $strMessage1 = $strMessage1 + "`r`n"
      $strMessage2 = $strMessage2 + $strMessage1
}
$myCollection += $strMessage2
$myCollection
===============

Thanks again.
0
 

Author Closing Comment

by:hairylots
Comment Utility
thanks
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
I agree that using WMI for this purpose is easier to work with, if you do not get the regular expression syntax right and understandable. RegExp isn't an easy-to-get topic ...
0
 
LVL 9

Expert Comment

by:chrismerritt
Comment Utility
Glad my suggestion helped, I had the same problem when looking for whitespace events id's for exchange and the WMI stuff was really good for it :)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
In this previous article (https://oddytee.wordpress.com/2016/05/05/provision-new-office-365-user-and-mailbox-from-exchange-hybrid-via-powershell/), we made basic license assignments to users in O365. When I say basic, the method is the simplest way …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now