Joseph, here's a very old and crude code I wrote when I was starting
with PowerShell and needed to find very specific events:
# Start of script
$FinalArray = @()
[string]$ServerName = $Args[0]
$BackInTime =
[System.Management.ManagementDateTimeConverter]::ToDMTFDateTime((Get-Date).AddHours(-48))
$EventFilter = "Logfile='Application' AND EventCode='1221' AND
TimeWritten>='$BackInTime'"
Write-host (Get-Date –f "yyyy-MMM-dd HH:mm:ss") "- Checking events
1221 (DB WhiteSpace) on" $ServerName.ToUpper() "during the last 48
hours..."
$All1221 = gwmi Win32_NTLogEvent -ComputerName $ServerName -Filter $EventFilter
If ($All1221.Count -gt 0) {
ForEach ($Event in $All1221) {
$EventItem = New-Object System.Object
$EventItem | Add-Member -type NoteProperty -name "Time_Written"
-value ([WMI]'').ConvertToDateTime($Event.TimeWritten)
$EventItem | Add-Member -type NoteProperty -name "SG_MBS" -value
$Event.InsertionStrings[1]
$EventItem | Add-Member -type NoteProperty -name "WhiteSpace_MB"
-value ("{0:N0}" -f ([int32] $Event.InsertionStrings[0]))
$FinalArray += $EventItem
}
$FinalArray | sort SG_MBS | ft -auto
Write-host "Total events found in the last 48 hours:" $FinalArray.Count
}
Else { write-host "No 1221 events found in the last 48 hours!"}
# End of script
Hope that helps you.
Regards,
Rubens
On Thu, May 24, 2012 at 2:36 PM, Michael B. Smith <[email protected]> wrote:
> Oh. No. Not from there.
>
> In the raw event log entry (which you can get from WMI), you'll see
> InsertionStrings, ReplacementStrings, and the Message. You can SOMETIMES get
> what you want form ReplacementStrings. But more often than not you will still
> be looking at painful regex's or just flat out string processing (which is
> what I normally do).
>
> -----Original Message-----
> From: Joseph L. Casale [mailto:[email protected]]
> Sent: Thursday, May 24, 2012 12:32 PM
> To: NT System Admin Issues
> Subject: RE: Powershell Eventlog Reporting
>
> Sorry Michael,
> The Message is a string, which makes for large capturing regex's, total
> pain...
> I had hoped the Member|Account name was accessible from with the Message
> property...
>
> An example output:
>
> Get-WinEvent Security |?{ $_.Id -eq 4729 } |fl
>
> TimeCreated : 5/24/2012 9:40:16 AM
> ProviderName : Microsoft-Windows-Security-Auditing
> Id : 4729
> Message : A member was removed from a security-enabled global group.
>
> Subject:
> Security ID:
> S-1-5-21-2887164728-1639811974-4180998483-500
> Account Name: Administrator
> Account Domain: FOO
> Logon ID: 0x332ab
>
> Member:
> Security ID:
> S-1-5-21-2887164728-1639811974-4180998483-1109
> Account Name: CN=user,OU=1,OU=a,DC=foo,DC=local
>
> Group:
> Security ID:
> S-1-5-21-2887164728-1639811974-4180998483-5135
> Group Name: Grp_Test
> Group Domain: FOO
>
> Additional Information:
> Privileges: -
> ________________________________________
> From: Michael B. Smith [[email protected]]
> Sent: Thursday, May 24, 2012 10:10 AM
> To: NT System Admin Issues
> Subject: RE: Powershell Eventlog Reporting
>
> I don't understand what you are asking?
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin
>
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
