3 Replies Latest reply on Jun 17, 2012 7:24 PM by aLTeReGo

    Windows EventLog Parser Powershell

    mdriskell

      So the built in Event Log monitor while it works well wasn't able to return what our users required.  They asked for us to be able to return the actual message in the alert.  This is a very rough draft at my attempt to do this in powershell and I am still testing for possible flaws but I wanted to throw it out there if anyone has any suggestions.

      APM seems to reject when I output more than one line so I couldn't separate using the built in `r`n method by powershell I instead used a method supported by our notification system \\n.  Unfortunately it shows up as 1 line in SW but I haven't found a way around this yet.

      Feel free to criticize or comment on the coding as this is only my second attempt writing a powershell script so I am still learning many of the concepts and I am very receptive to feedback.

      This method allows me to return the number of entries found along with the actual output of the message in the alert emails that we send out so our users can see at a glance exactly what is in the event log entries.  The replace functions were required because the output of the powershell get-eventlog included a Message: which SW keys off of so I had to replace it with something else.

       

      # This script will search a Windows Event Log for a particular message. 

      # It is designed to return the number of Events found along with the actual description messages of the events. 

      # If a wildcard match is required issue a .* for the argument

      # Arguments example: application,Office Software Protection Platform Service, 1003, Information, .*, 1640

      # Argument 1 is the event log name (ex. application, security) CANNOT BE A .* MUST SPECIFIY LOG FILE NAME

      # Argument 2 is the event log source (ex MSSQLServer, Outlook, Desktop Window Manager) If source contains multiple words no wrappers # # are needed 

      # Argument 3 is the eventID tied to the windows event 

      # Arg 4 is the Entry Type (error, Informational)

      # Arg 5 is the message text (looks for a specific string of text)

      # Arg 6 is the interval in minutes that the monitor should look at. THis should match or be greater than the APM polling interval. THis monitor will only alert on events found in that interval. 

      $evt_log = $args.get(0); 

      $Source = $args.get(1); 

      $EventID = $args.get(2);

      $Entry = $args.get(3);

      $MessageTxt = $args.get(4)

      $Interval = $args.get(5); 

      $SW_StatOutput = @(Get-EventLog $evt_log -After (Get-Date).addMinutes(-$Interval) |where {$_.source -match $Source}| where {$_.message -match $MessageTxt} | where {$_.entryType -match $Entry} |where {$_.eventID -match $eventID}).count 

      if ($SW_StatOutput -eq 0) 

       

      Write-Host Statistic: $SW_StatOutput 

      Write-Host Message: No errors found during last $Interval minutes. Monitor Reset.

      else 

      $SW_MessageOutput = Get-EventLog $evt_log -After (Get-Date).addMinutes(-$Interval) |where {$_.source -match $Source}| where {$_.message -match $MessageTxt} | where {$_.entryType -match $Entry} |where {$_.eventID -match $eventID}|FL TimeGenerated, Source,EntryType,Message |out-string -stream -Width 1000

       

      $SW_MessageOutput = $SW_MessageOutput -replace "Message       :","\\n EventLogEntry: "

      $SW_MessageOutput = $SW_MessageOutput -replace "TimeGenerated :","\\n TimeStamp:"

      $SW_MessageOutput = $SW_MessageOutput -replace "Source        :","\\n Source:"

      $SW_MessageOutput = $SW_MessageOutput -replace "EntryType     :","\\n EntryType:"

      Write-Host Statistic: $SW_StatOutput 

      Write-host Message: $SW_MessageOutput

      }