Monthly Archives: December 2008

PowerShell User Group 2009

Two meetings are planned for early 2009.

January 21st – Microsoft Reading

– Webcast with Jeffrey Snover

 

February 10th – Microsoft Cardinal Place London

- After the Powershell event in the afternoon

- Jonathan Noble will be speaking

 

More details on both events to follow.

Happy New Year to everyone in PowerShell land.

 

Technorati Tags:

CTP3 – Write-EventLog

Last of the new event log cmdlets is Write-EventLog.  I showed how to write to the event log here http://richardsiddaway.spaces.live.com/blog/cns!43CFA46A74CF3E96!275.entry.  This is still valid for PowerShell v1 or v2.  In v2 we can make life a bit simpler by using Write-EventLog.  Like the other EventLog cmdlets it only works with the classic event logs and it has a –computername parameter so you can write to logs on remote machines.

To write an entry into the log:

Write-EventLog -LogName Scripts -Source PSscripts -Message "Test from write-eventlog"  `

-EntryType Information -EventId 1111

We need to give the log name and a source.  If you aren’t sure about the sources available for a log use the script in the previous post to discover them.  A message and entry type must be given and an eventid (can be arbitrary in your own log).

The entry can be viewed with Get-EventLog

That finishes our look at event logs in CTP3. Next time we will start looking at another aspect of CTP3.

 

Technorati Tags: ,,

CTP3 – New-EventLog

I have shown how to create an event log using simple .NET code a couple of times including http://richardsiddaway.spaces.live.com/blog/cns!43CFA46A74CF3E96!278.entry.  CTP 3 brings us a cmdlet that we can use to perform this act. 

New-EventLog is used as follows.

New-EventLog -LogName TestLog -Source TestSource

All we provide is the name of the log and a Source to register.  A source is a handle (or route) that applications use to write to the event log.  We can view the details of our event log.

PS> Get-EventLog -List

  Max(K) Retain OverflowAction        Entries Name
  ------ ------ --------------        ------- ----
  25,600      0 OverwriteAsNeeded         156 Application
  15,168      0 OverwriteAsNeeded           0 DFS Replication
  20,480      0 OverwriteAsNeeded           0 HardwareEvents
     512      7 OverwriteOlder              0 Internet Explorer
  20,480      0 OverwriteAsNeeded           0 Key Management Service
  16,384      0 OverwriteAsNeeded           0 ODiag
  16,384      0 OverwriteAsNeeded       1,106 OSession
   2,048      9 OverwriteOlder              2 Scripts
  20,480      0 OverwriteAsNeeded         296 Security
  20,480      0 OverwriteAsNeeded         573 System
     512      7 OverwriteOlder              0 TestLog
  15,360      0 OverwriteAsNeeded         908 Windows PowerShell

Note the default size, retention days and Overflow action.

One potential issue is how do we view the sources for an event log.  The following script will do this.  Its interesting to run this against the Application log!

param ([string]$log)
cls
Write-Host   $log -ForegroundColor Green
$filt = "LogFileName = '" + $log + "'"
Get-WmiObject -Class Win32_NTEventLogFile -Filter $filt | Select -ExpandProperty Sources

If you want to be able to control how applications write to a log then we can add a source for a particular application.

New-EventLog -LogName TestLog -Source "Source2"

Exactly the same as before but because the log exists we just create a new source.

 

Technorati Tags: ,,

PowerGUI – PowerShell Help

I have mentioned PowerGUI many times – I especially like the editor.  There is a large, and growing, library of PowerGUI powerpacks (additional functionality) available for download from www.powergui.org.

I have just added the PowerShell Help powerpack to my system.  Written by Kirk Munro (PowerShell MVP) it gives many views into the PowerShell help system.  I may even drop my own help utility in favour of using this. It can be downloaded from http://www.powergui.org/entry.jspa?externalID=801&categoryID=55  - - highly recommended.

 

Technorati Tags: ,

CTP3 – Remove-EventLog

Remove-EventLog is a new cmdlet in CTP3.  It brings the following parameters:

ComputerName
LogName
Source
Verbose
Debug
ErrorAction
WarningAction
ErrorVariable
WarningVariable
OutVariable
OutBuffer
WhatIf
Confirm

The Source is how applications write to the event log – it is possible to just remove one or more sources rather than the whole event log.

To remove an event log

Remove-EventLog -LogName test23

Assuming you have the correct privileges the removal happens.  This is one cmdlet where I would very strongly recommend using the –whatif and –confirm parameters

 

Technorati Tags: ,,

CTP3 – Clear-EventLog

Continuing our tour around the event log cmdlets we come to Clear-EventLog.  This does exactly what it says – it clears the entries out of one or more logs. Note that it does not backup the entries in anyway – it is just a clear.

We can clear a single log

Clear-EventLog -LogName "Windows PowerShell"

or we can work with multiple logs – for instance based on the number of records

Get-EventLog -List | Where{$_.Entries.Count -gt 5000} | Foreach {Clear-EventLog -LogName $_.Log}

We need administrator access on Vista and later. The usual –whatif and –confirm parameters are available.  This cmdlet also has a –computername parameter for working with remote machines

 

Technorati Tags: ,,

CTP3 – Limit-EventLog

If we look at the event logs that are present on our system we will see how the logs are configured in terms of maximum size, retention days and the action to take in the event of the log becoming full (overflow).

PS> Get-EventLog -List

  Max(K) Retain OverflowAction        Entries Name
  ------ ------ --------------        ------- ----
  25,600      0 OverwriteAsNeeded       8,871 Application
  15,168      0 OverwriteAsNeeded           0 DFS Replication
  20,480      0 OverwriteAsNeeded           0 HardwareEvents
     512      7 OverwriteOlder              0 Internet Explorer
  20,480      0 OverwriteAsNeeded           0 Key Management Service
  16,384      0 OverwriteAsNeeded           0 ODiag
  16,384      0 OverwriteAsNeeded       1,083 OSession
     512      7 OverwriteOlder              2 Scripts
                                              Security
  20,480      0 OverwriteAsNeeded      38,517 System
     512      7 OverwriteOlder              0 test23
  15,360      0 OverwriteAsNeeded       1,000 Windows PowerShell

 

We can use the Limit-EventLog cmdlet to control these settings.

Limit-EventLog -LogName Scripts -MaximumSize 2mb -RetentionDays 9 -OverflowAction OverWriteOlder

Note that the maximum size is translated to KB (and must be divisable by 64KB).  The overflow actions are limited to

  • DoNotOverwrite
  • OverwriteAsNeeded
  • OverwriteOlder

This cmdlet has a computername parameter so we can work remotely – there is a los a whatif and confirm parameter.  Remember the need for Administrator privileges to make the changes.

 

Technorati Tags: ,,

CTP3 – Show-EventLog

Show-EventLog is a very straight forward cmdlet with a minimum of parameters.  Outside of the common parameters it can only take a computer name.  As it says in the name the cmdlet opens Event Viewer on the local or remote machine (remember need for admin privileges on Vista and later so start PowerShell using Run as Administrator).  The computername parameter accepts a name, an IP Address or a FQDN.

Show-EventLog -ComputerName pcrs2
Show-EventLog -ComputerName 192.168.86.17
Show-EventLog -ComputerName pcrs2.somedomain.com

The PowerShell prompt is returned as soon as event viewer is opened.

 

Technorati Tags: ,,

CTP3 – Get-EventLog

No doubt there will be a mass of posts on the new features in CTP3 over the next weeks and months.  What I want to try and do is concentrate on those features that are of most benefit to administrators. I am going to start with functionality to work with event logs.  I have blogged a number of times about writing scripts to go beyond the get-eventlog of PowerShell version 1 – most of that functionality is now available as cmdlets.  We now have a number of cmdlets for working with event logs:

Clear-EventLog
Get-EventLog
Limit-EventLog
New-EventLog
Remove-EventLog
Show-EventLog
Write-EventLog

We’ll start by looking at what is new in get-eventlog and then look at the others.  Get-Eventlog brings a bunch of new parameters:

* LogName
ComputerName
* Newest
After
Before
UserName
InstanceId
Index
EntryType
Source
Message
AsBaseObject
* List
* AsString

Parameters marked * are present in PowerShell v1

Note - I have deliberately left off the common parameters -  -verbose etc etc.

One of the most obvious additions is the computername parameter – we can now work with logs on remote computers.  We don’t need PowerShell remoting enabled for this.

Get-EventLog -List -ComputerName pcrs2

After and before allow us to view the log between two time bounds -

$d1 = (Get-Date).AddDays(-5)
$d2 = (Get-Date).AddDays(-2)
Get-EventLog -LogName system -After $d1 -Before $d2

Index enables us to access a particular entry.  InstanceId means we can pick out a particular type of entry – note that instanceid is not necessarily the same as eventid.

Using Entrytype means we can select by the type of entry ie

Error
Warning
Information
SuccessAudit
FailureAudit

such as

Get-EventLog -LogName system -EntryType Error

With the source parameter we can filter based on the source used to write to the event log and –message allows us to select based on the message contents.

These new parameters enable us to interrogate the event logs in a much simpler manner – all of this can be performed in V1 but we need to pipe into where to perform the filtering – now we can do it in one pass in the cmdlet.  Add this to the capability of accessing the logs on remote computers and we can really start to integrate the data across our server logs – for instance we can easily check the logs on a number of domain controllers for logins in a certain time frame.

 

Technorati Tags: ,,

 

Sites and SiteLinks

In my series on System.DirectoryServices.ActiveDirectory I was going to cover creating sites and sitelinks – Rolf has just covered this material so I will point you there instead.

http://www.powershell-ag.de/ps/Blog/tabid/73/EntryID/1123/Default.aspx

 

Technorati Tags: ,