March 5, 2015

[Log]tastical Powershell

When dealing with Server Core, you don’t have event viewer, so you can either connect to the server from another server and view the event logs using the “connect to computer” method or if you are working on the box directly at the command/powershell prompt and you want to just quickly check you can use the Get-Eventlog Cmdlet

The syntax is simple…

Get-Eventlog <eventlog name>

So at the most simple level you can have :-

Get-Eventlog System
Get-Eventlog Application
Get-Eventlog Security

These are the 3 main windows logs files – There are other things we can do as well but let stick with the basic 3 for this blog post shall we? – If you just run these cmdlets as is, you will get your entire eventlog dumped to the console. This might be what you want if you can read at speeds I can’t even comprehend! But don’t fear, Powershell can really help us make sense of all this data by parsing it for us before presenting it to us. Most of it is useless fluff anyway.

Now the key concept of Powershell, which some people don’t get and is great cause of grumpiness here in the office is that everything (unless told otherwise is an object). Objects has properties and you can access these properties, and do cool and neat stuff with them!

Right so initially my first tip when dealing with eventlog data from Powershell is to limit the number of events you get back from running the Get-EventLog cmdlet- you not that interested in old events if your issue is current, you want and need to look at the newest events I assume. Powershell allows us to do this, we can use the -newest argument of the Get-EventLog cmdlet. Supply it with the number of events we want and we are solid!

Get-Eventlog System -Newest 10

This now limits the events returned. But due to the fluff that get stuffed in these event logs like the 1000’s of “information” type events, we might not see the errors that we are trying to troubleshoot. White noise makes me grumpy! So again using Powershell we can do something like this….

we can use the Where-Object cmdlet and put in some logic into the mix and make a sort of filter. So we can add a line like this –

Where-Object {$_.entryType -Match “Error”}

Now don’t forget, we are currently only passing 10 objects, the 10 newest entries in the eventlog to this Where-Object cmdlet. So you might want to increase the -newest values to something reasonable. Just a hint! Don’t forget, you are not limited to using the .entryType in your selection. For example you could easily do this

where-object {$_.EventID -Match “19”}

Also you can use other conditional statements as well

-lt Less than
-le Less than or equal to
-gt Greater than
-ge Greater than or equal to
-eq Equal to
-ne Not equal to
-like pattern matching

Now this still isn’t very useful for us is it?, we have lots of data but we can’t really read much of it! So I think we need to do some work on how to present the information better…Grumpy Admin doesn’t like not being able to actually read error messages how is that going help our troubleshooting and make us look like real keyboard cowboys?  🙁 Right let’s use our good old trusted friend the Format-Table cmdlet.

Format-Table Index,TimeWritten, Source, EventID, Message -auto

This is slightly better – but the problem we have is that FT (alias for Format-Table) is limited to the size of the screen buffer – which is pain. So I rather point you in the direction of using Format-List – so our Powershell command will look something like this

Get-EventLog System -Newest 1000 |where-object {$_.entryType -Match “Error”}|Format-List Index,TimeWritten, Source, EventID,Message

If this returns to many entries, you can just grab the event you want to see in more detail by using the Get-EventLog -Index method

Get-EventLog system -Index 1 |Format-List

and then you see we are throwing it to Format-List. This means you can work in Powershell on a Server Core or any server via Powershell, and get detailed information almost as fast as using the GUI Event Viewer.

Now if you are doing this sort of thing quite often, you can create your own or Google and download someone else’s, scripts to help wrap these commands in a function.

Also Don’t forget – you can use things such as | out-file <filename> to export your logfiles and eventlog entries to enter into your post-incident report or in to your Incident Managment System. Also you can do this on remote computers by providing the -Computer argument to the Get-Eventlog cmdlet.