Using Powershell to Parse Event Logs
Powershell is a well needed addition to Windows. For a longtime there has been Windows admins wanting a powerful and flexible scripting language similar to what Linux / Unix users have had for years, or at least I have.
One of the great command line tools for Linux has been the use of commands like cat, less, more and grep as a few to parse files. Enter in Powershell for Windows. A recent need for parsing the application event log for specific event id 3001 and ASP .NET errors causing an issue with SharePoint servers. With Powershell we can achieve this by using the get-eventlog cmdlet and the where statement to look for the match.
As part of the requirements to the script I wanted to have the ability to put a limit on how far back to look in the application log, write it to a file and if it finds an event that occurred today then send me an email. Here is what came out of it.
# parselogevent.ps1
# Checks for events less than 7 days that occur today and emails.
#del C:\logs\lastevent.txt
$Now = Get-Date
$SubtractDays= New-Object System.TimeSpan 7,0,0,0,0
$Then = $Now.Subtract($SubtractDays)$lastevent_log=get-eventlog application -after $Then -before $Now | where {$_.Message -match “3001” -and $_.Source -match “ASP.NET 2.0.50727.0”} | format-table -wrap -autosize -property TimeWritten, Message > C:\Support\lastevent.txt
$lastevent_file=[io.file]::ReadAllText(‘C:\logs\lastevent.txt’)
$files = “C:\logs\lastevent.txt”
$exist = test-path $files
$today = (get-date).ToShortDateString()
$file = get-childitem $files
if($file.length -gt 0){
$emailFrom = “myemail@myhost.com”
$emailTo = “theman@theman.com”
$subject = “Timeout Error $env:COMPUTERNAME”
$body = $lastevent_file
$smtpServer = “my.smtp.com”
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($emailFrom, $emailTo, $subject, $body)
$lastevent_log.TimeWritten|Set-Content C:\logs\lastevent.txt
}
Now lets explain how it works!!!
First line we want to delete any log exports from before
del C:\logs\lastevent.txt
Now we need to set the variables for date, math to set 7 day and then calculate it all.
$Now = Get-Date
$SubtractDays= New-Object System.TimeSpan 7,0,0,0,0
$Then = $Now.Subtract($SubtractDays)
Now the meat. Lets parse the log an find event id 3001 with message containing ASP.NET 2.0.50727.0 and export to lastevent.txt.
$lastevent_log=get-eventlog application -after $Then -before $Now | where {$_.Message -match “3001” -and $_.Source -match “ASP.NET 2.0.50727.0”} | format-table -wrap -autosize -property TimeWritten, Message > C:\Support\lastevent.txt
At this point you could look at the exported file and see if you have any events. But we are after automation here, as we are good admins.
Next we need to create some variables to use for formatting and sending the email.
$lastevent_file=[io.file]::ReadAllText(‘C:\logs\lastevent.txt’)
$files = “C:\logs\lastevent.txt”
$exist = test-path $files
$today = (get-date).ToShortDateString()
$file = get-childitem $files
And finally the email piece, this is pretty straight forward and doesn’t need a lot of explaination as the descriptions speak for themselves. You will need to change the values for $emailFrom, $emailTo, $subject & $smtpServer.
if($file.length -gt 0){
$emailFrom = “myemail@myhost.com”
$emailTo = “theman@theman.com”
$subject = “Timeout Error $env:COMPUTERNAME”
$body = $lastevent_file
$smtpServer = “my.smtp.com”
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($emailFrom, $emailTo, $subject, $body)
$lastevent_log.TimeWritten|Set-Content C:\logs\lastevent.txt
}
Save your finished file and give it a run. If it works, then be a good admin and create a scheduled task and move on to the next.
If you want to save a little typing time just download the parselogevent.
Very useful script and awesome explanation 🙂