New Event Report Revised

Last year I posted an update to an old Mr. Roboto script that was an update to an even older VBScript. Still with me? My last revision leveraged the new Get-WinEvent cmdlet to create an HTML report of recent error activity on one or more computers. The problem was that I didn’t account for older computers that don’t support Get-WinEvent. I finally have a version that does.

This latest, and hopefully last, version will now check the operating system of the computer you want to query.

[cc lang=”PowerShell”]
$os=Get-WmiObject -Query “Select Caption from Win32_OperatingSystem” -EnableAllPrivileges -ComputerName $computer -ErrorAction “Stop”
[/cc]

I use a simple regular expression match to test the OS version.

[cc lang=”Powershell”]
If ($os.caption -match “2000|XP|2003″) {
#if computer is running an old OS then use Get-WMIobject
#define some scriptblocks
[/cc]
If the Caption property indicates an OS that is Vista or later, then the rest of the function is pretty much unchanged. Otherwise I use the code I had from my original version that uses Get-WMIObject. The benefit is that now with version 2 we have the -EnableAllPrivileges parameter with Get-WMIObject.

[cc lang=”PowerShell”]
$query=”Select ComputerName,Message,TimeGenerated,Type,SourceName,EventCode,Logfile from win32_NTLogEvent WHERE (Type=’warning’ OR Type=’error’ OR Type=’Audit Failure’) AND TimeWritten>’$dmtf'”
Write-Verbose $query
$cmd=’Get-WmiObject -ComputerName $computer -query $query -enableAllPrivileges’

if ($credential) {
$cmd=$cmd + ” -credential `$credential”
}
Write-Verbose $cmd

$status=”Getting event log data from $computer”
Write-Progress -Activity $activity -Status $status -CurrentOperation “Querying logs”

$results+=Invoke-Expression $cmd |
select @{name=”Computername”;Expression={($_.ComputerName).ToUpper()}},
Type,@{name=”TimeCreated”;Expression={$_.ConvertToDateTime($_.TimeGenerated)}},
@{Name=”ProviderName”;Expression={$_.SourceName}},
@{Name=”ID”;Expression={$_.EventCode}},Message,
@{Name=”LogName”;Expression={$_.Logfile}}
[/cc]

I wish I could use Get-Event but it doesn’t have a parameter that supports alternate credentials. I could have used remoting, but then I would also have had to assume that PowerShell 2 was installed on legacy systems with remoting enabled and I didn’t want to force that assumption on people.

The rest of the function works pretty much as before. All the matching event logs are converted to an HTML file and I parse the HTML to adjust for style tags.

[cc lang=”PowerShell”]
foreach ($line in $html) {
$i++
Write-Progress -Activity $activity -Status $status -CurrentOperation “Colorizing” -PercentComplete $($i/($html.count)*100)
Switch -regex ($line) {

\w+

” {
Write-Verbose “Colorizing header”
$colorized+=$line.Replace(“

“,”

“)
}

Error

” {
Write-Verbose “Colorizing Error”
$colorized+=$line.Replace(“

“,”

“)
}

Critical

” {
Write-Verbose “Colorizing Critical”
$colorized+=$line.Replace(“

“,”

“)
}

Security

” {
Write-Verbose “Colorizing Audit Failure”
$colorized+=$line.Replace(“

“,”

“)
}

” {
Write-Verbose “Adding footer $($footer)”
$colorized+=$line.Replace(“

“,$footer)
}

Default {
$colorized+=$line
}
} #end Switch
}
[/cc]

Download New-EventReport-v2.3 and dot source the script in your PowerShell session. The New-EventReport function has full comment-based help.

One thought on “New Event Report Revised

Comments are closed.