BGINFO - A Posh Recreation
Recently I have been building a lot of Windows Servers in different environments - one
Grumpy Admin was asked by a friend to look at his Powershell script. Stop laughing, Grumpy Admin does indeed have the odd friend. His script was all to do with Eventlogs. I offered a few points here and there but as the script worked and did what it says it did I didn’t change much after all Grumpy Admin is all about learning.
I remembered some stuff about working with EventLogs and decided I wanted to share – As you will know from Vista upwards, Microsoft introduced a lot more logs files to the system than just the standard App,Sys,Sec logs. They also added some better ways to access these logs and do stuff with them! Some of these logs are enabled some of them are disabled and don’t capture anything.
These logs can range from logging information about DHCP operations to Windows Backup or even Biometrics information, if you use a Fingerprint reader to unlock your laptop etc. You can even create your own logs.
If we load up Computer Manager (I’m on Windows 7 – dam IT policy won’t allow me to have Windows 8.1 Machine, even though I am administering mainly Server 2012/2012R2 servers!!! That is a major cause of Grumpy Admin being Grump!) As you can see from the screen print. Enabling these extra logs is simple, as right clicking and clicking “Enabled Log“.
Now this is simple using the GUI but we are admins, we are the keyboard cowboys and we want to do it all from your guessed it – from Powershell
First thing we need to do is get a list of all the available event log, and most thing being objects in Powershell we can then use this information in helpful ways. For this we can use the cmdlet called Get-WinEvent – as ever, let’s throw a Get-Help at it and see what we get!
Gets events from event logs and event tracing log files on local and remote computers.
Get-WinEvent [[-LogName] <String[]>] [-ComputerName <String>] [-Credential <PSCredential>] [-FilterXPath <String>] [-Force] [-MaxEvents <Int64>] [-Oldest] [<CommonParameters>]
Get-WinEvent [-ListProvider] <String[]> [-ComputerName <String>] [-Credential <PSCredential>] [<CommonParameters>]
Get-WinEvent [-ProviderName] <String[]> [-ComputerName <String>] [-Credential <PSCredential>] [-FilterXPath <String>] [-Force] [-MaxEvents <Int64>] [-Oldest] [<CommonParameters>]
Get-WinEvent [-ListLog] <String[]> [-ComputerName <String>] [-Credential <PSCredential>] [-Force] [<CommonParameters>]
Get-WinEvent [-FilterHashtable] <Hashtable[]> [-ComputerName <String>] [-Credential <PSCredential>] [-Force] [-MaxEvents <Int64>] [-Oldest] [<CommonParameters>]
Get-WinEvent [-FilterXml] <XmlDocument> [-ComputerName <String>] [-Credential <PSCredential>] [-MaxEvents <Int64>] [-Oldest] [<CommonParameters>]
Get-WinEvent [-Path] <String[]> [-Credential <PSCredential>] [-FilterXPath <String>] [-MaxEvents <Int64>] [-Oldest] [<CommonParameters>]
Wow, there lots to take in there – But something that helps us in our quest stands out right away – the –listlog. This looks like it takes a string, so let throw something at it at random… like a wildcard such as * Let do that now shall we J
get-winevent -listlog *
Excellent – that produces a list of all the event logs, with their size and stuff like that – that is great! We can of course do let’s do a
get-winevent -listlog * |get-member
and see what properties and methods it has so that we can work with it!
Oh there is a IsEnabled Property which is Bool and has a get-set method 🙂 so if we wanted to we can do something like this
get-winevent -listlog * | %{$_.IsEnabled=$true}
Which should turns all available logs on! Neat… I think… The logic is there – set the IsEnabled option for all event logs. It didn’t return any errors so it must of worked!
Now the smart thing to do is to use PowerShell and filter the objects and only return anything that has anything to do with the log file that we want, as turning everything can be bad… think Cisco and thing Debug All – So for example I want to enable all logs that have anything to do with DHCP so I can do a where-object statement with a –like wildcard statement with the words DHCP in it! Which will look like this :-
get-winevent -listlog * | where-object {$_.LogName -like “*DHCP*”}
Nice this works, so we can then just do our %{$_.IsEnabled=$true} code and we have achieved our aim! So the full code will be
get-winevent -listlog * | where-object {$_.LogName -like “*DHCP*”} |%{$_.IsEnabled=$true}
and just to prove it we can do the following to make me less grumpy with the output….
get-winevent -listlog * | where-object {$_.LogName -like “*DHCP*”} |fl -Property IsEnabled,LogName
Hand on a second…. it didn’t work did it! Can anyone tell me why? OK now I’m super grumpy! What is going on!!!! Let’s have a look – go back and look at the get-member output and you will see there is a method called SaveChanges, so once we change something we need to call this – so our actual working code now looks like this :-
get-winevent -listlog * | where-object {$_.LogName -like “*DHCP*”} |%{$_.IsEnabled=$true;$_.SaveChanges() }
And to prove the fact we can rerun our test line
get-winevent -listlog * | where-object {$_.LogName -like “*DHCP*”} |fl -Property IsEnabled,LogName
Job Done – Finally
Hazzy