Scripting Games 2012 comments: #10 Advanced event 5
http://blogs.technet.com/b/heyscriptingguy/archive/2012/04/06/2012-scripting-games-advanced-event-5-list-errors.aspx
This is the one I was asked to supply a commentary for
http://blogs.technet.com/b/heyscriptingguy/archive/2012/04/20/expert-commentary-2012-scripting-games-advanced-event-5.aspx
This one has raised an interesting interpretation issues. The last design point asks:
- Your output should be organized such that the largest source of errors appears at the top of the output.
The figure shows the data sorted by Event source
I read the design point as log with the largest number of errors comes first. The script I produced for the commentary doesn’t meet that last design point so I’ve revised it
#Requires -Version 2
function Get-EventEntryCount{
[CmdletBinding()]
param (
[parameter(Position=0,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true)]
[Alias("CN", "Computer")]
[string[]]$computername="$env:COMPUTERNAME",
[parameter(Position=1)]
[ValidateSet("Error", "Information", "FailureAudit", "SuccessAudit", "Warning", "All", "*")]
[string]$eventtype="Error"
)
BEGIN{
$currentUser = [Security.Principal.WindowsIdentity]::GetCurrent()
$testadmin = `
(New-Object Security.Principal.WindowsPrincipal $currentUser).IsInRole(`
[Security.Principal.WindowsBuiltinRole]::Administrator)
if (!$testadmin){
Throw "Must be run with elevated privileges"
}
}#begin
PROCESS{
foreach ($computer in $computername ){
switch ($computer) {
"." {$computer="$env:COMPUTERNAME"}
"localhost" {$computer="$env:COMPUTERNAME"}
}
Write-Verbose "Processing computer: $computer"
$data = @()
if (Test-Connection -ComputerName $computer -Count 1 -Quiet){
Write-Verbose "Starting Remote Registry service on $computer"
$origrrsrv = Get-WmiObject -Class Win32_Service -Filter "Name='RemoteRegistry'" `
-ComputerName $computer
if ($origrrsrv.StartMode -eq "Disabled") {
Set-Service -Name RemoteRegistry -ComputerName $computer -StartupType "Manual"
}
if ($origrrsrv.State -ne "Running") {
$origrrsrv.StartService() | Out-Null
}
Write-Verbose "Retrieving logs for $computer"
Get-EventLog -List -ComputerName $computer |
foreach {
$log = $_.Log
Write-Verbose "Processing log: $log"
if ($_.Entries.Count -gt 0) {
Write-Debug "Processing event type $eventtype"
$n = Get-EventLog -LogName $($_.Log) -EntryType $eventtype -ComputerName $computer `
-ErrorAction SilentlyContinue
if ($n -ne $null){
Write-Debug "Entries found"
$n | group Source -NoElement |
foreach{
$data += New-Object -TypeName PSObject -Property @{
ComputerName = $computer
LogName = $log
EntryType = $eventtype
EntrySource = $($_.Name)
EntryCount = $($_.Count)
}
}
}
} # end if entries
else {
Write-Verbose "$($computer): $log is empty"
}
if ($origrrsrv.State -eq "Stopped") {
$origrrsrv.StopService() | Out-Null
}
if ($origrrsrv.StartMode -eq "Disabled") {
Set-Service -Name RemoteRegistry -ComputerName $computer -StartupType "Disabled"
}
} # end of log processing foreach
}
else {
Write-Warning "Cannot contact $computer"
} # end if ping
Write-Output $data
} ## end computer foreach
}#process
END{}#end
<#
.SYNOPSIS
Counts the number of entries of a given type
in the event logs of a system
.DESCRIPTION
One or more computers - from pipeline or parameter - are
accessed to read the envent logs and count the entries of a
given type. Empty logs are tested and the count is set to zero
.PARAMETER computername
Name of computer for which log information
is to be retrieved
.PARAMETER eventtype
Log entry type to count.
Accepted values are -
"Error", "Information", "FailureAudit",
"SuccessAudit", "Warning", "All", "*"
.EXAMPLE
Get-EventEntryCount
Accesses logs on local machine. Peforms default display
.EXAMPLE
Get-EventEntryCount -computername "." |
sort LogName, EntryCount -Descending |
Format-Table EntrySource, EntryCount -GroupBy LogName
Accesses logs on local machine. Format display and group by logname
.EXAMPLE
"dc02", "webr201", "server02" |
Get-EventEntryCount |
sort Computer, LogName, EntryCount -Descending |
Format-Table Logname, EntrySource, EntryCount -GroupBy Computer
Accesses logs on remote machines. Computer names accepted from pipeline.
Format display and group by computer
.EXAMPLE
Get-EventEntryCount -computername "dc02", "webr201", "server02" |
sort Computer, LogName, EntryCount -Descending |
Format-Table Logname, EntrySource, EntryCount -GroupBy Computer
Accesses logs on remote machines. Computer names accepted as array.
Format display and group by computer
.INPUTS
Computer name - string or string array
Envent type - string. Must be member of set
.OUTPUTS
Returns a custom object with
properties:
ComputerName - name of computer
LogName - name of log
EntryType - Type of log entry
EntryCount - count of entries
EntrySource - event source
.NOTES
.LINK
#>
}