This is the one I was asked to supply a commentary for
This one has raised an interesting interpretation issues. The last design point asks:
- Your output should be organized such that the largest source of errors appears at the top of the output.
The figure shows the data sorted by Event source
I read the design point as log with the largest number of errors comes first. The script I produced for the commentary doesn’t meet that last design point so I’ve revised it
#Requires -Version 2 function Get-EventEntryCount{ [CmdletBinding()] param ( [parameter(Position=0, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias("CN", "Computer")] [string[]]$computername="$env:COMPUTERNAME", [parameter(Position=1)] [ValidateSet("Error", "Information", "FailureAudit", "SuccessAudit", "Warning", "All", "*")] [string]$eventtype="Error" ) BEGIN{ $currentUser = [Security.Principal.WindowsIdentity]::GetCurrent() $testadmin = ` (New-Object Security.Principal.WindowsPrincipal $currentUser).IsInRole(` [Security.Principal.WindowsBuiltinRole]::Administrator) if (!$testadmin){ Throw "Must be run with elevated privileges" } }#begin PROCESS{ foreach ($computer in $computername ){ switch ($computer) { "." {$computer="$env:COMPUTERNAME"} "localhost" {$computer="$env:COMPUTERNAME"} } Write-Verbose "Processing computer: $computer" $data = @() if (Test-Connection -ComputerName $computer -Count 1 -Quiet){ Write-Verbose "Starting Remote Registry service on $computer" $origrrsrv = Get-WmiObject -Class Win32_Service -Filter "Name='RemoteRegistry'" ` -ComputerName $computer if ($origrrsrv.StartMode -eq "Disabled") { Set-Service -Name RemoteRegistry -ComputerName $computer -StartupType "Manual" } if ($origrrsrv.State -ne "Running") { $origrrsrv.StartService() | Out-Null } Write-Verbose "Retrieving logs for $computer" Get-EventLog -List -ComputerName $computer | foreach { $log = $_.Log Write-Verbose "Processing log: $log" if ($_.Entries.Count -gt 0) { Write-Debug "Processing event type $eventtype" $n = Get-EventLog -LogName $($_.Log) -EntryType $eventtype -ComputerName $computer ` -ErrorAction SilentlyContinue if ($n -ne $null){ Write-Debug "Entries found" $n | group Source -NoElement | foreach{ $data += New-Object -TypeName PSObject -Property @{ ComputerName = $computer LogName = $log EntryType = $eventtype EntrySource = $($_.Name) EntryCount = $($_.Count) } } } } # end if entries else { Write-Verbose "$($computer): $log is empty" } if ($origrrsrv.State -eq "Stopped") { $origrrsrv.StopService() | Out-Null } if ($origrrsrv.StartMode -eq "Disabled") { Set-Service -Name RemoteRegistry -ComputerName $computer -StartupType "Disabled" } } # end of log processing foreach } else { Write-Warning "Cannot contact $computer" } # end if ping Write-Output $data } ## end computer foreach }#process END{}#end <# .SYNOPSIS Counts the number of entries of a given type in the event logs of a system .DESCRIPTION One or more computers - from pipeline or parameter - are accessed to read the envent logs and count the entries of a given type. Empty logs are tested and the count is set to zero .PARAMETER computername Name of computer for which log information is to be retrieved .PARAMETER eventtype Log entry type to count. Accepted values are - "Error", "Information", "FailureAudit", "SuccessAudit", "Warning", "All", "*" .EXAMPLE Get-EventEntryCount Accesses logs on local machine. Peforms default display .EXAMPLE Get-EventEntryCount -computername "." | sort LogName, EntryCount -Descending | Format-Table EntrySource, EntryCount -GroupBy LogName Accesses logs on local machine. Format display and group by logname .EXAMPLE "dc02", "webr201", "server02" | Get-EventEntryCount | sort Computer, LogName, EntryCount -Descending | Format-Table Logname, EntrySource, EntryCount -GroupBy Computer Accesses logs on remote machines. Computer names accepted from pipeline. Format display and group by computer .EXAMPLE Get-EventEntryCount -computername "dc02", "webr201", "server02" | sort Computer, LogName, EntryCount -Descending | Format-Table Logname, EntrySource, EntryCount -GroupBy Computer Accesses logs on remote machines. Computer names accepted as array. Format display and group by computer .INPUTS Computer name - string or string array Envent type - string. Must be member of set .OUTPUTS Returns a custom object with properties: ComputerName - name of computer LogName - name of log EntryType - Type of log entry EntryCount - count of entries EntrySource - event source .NOTES .LINK #> }