Unable to show Windows Event Source & Username?

Ask your Windows PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Locked
User avatar
ITEngineer
Posts: 187
Joined: Wed Oct 12, 2011 10:52 am

Unable to show Windows Event Source & Username?

Post by ITEngineer » Thu Jan 09, 2020 4:03 pm

Hi All,

I need some help in displaying the Event source & User from the below script to show the summary of Windows Event logs in the past X day.

The below script working fine, it is just the two additional attribute value that is not showing.

Code: Select all

$HtmlHead = @"
<style>
    body {
        font-family: Arial;
    }

    table {
        width: 100%;
        border-collapse: collapse;
        border: 1px solid;        
    }

    th {
        background-color: green;
        border: 1px solid;
        padding: 1px;
    }

    td {
        border: 1px solid;
        padding: 1px;
    }
</style>
"@

$ComputerName = "$ENV:COMPUTERNAME"
$Logs = 'Application', 'System'

$After = (Get-Date).AddDays(-1).Date.ToString('o')
$Before = (Get-Date).Date.AddDays(1).ToString('o')
$Filter = "*[System/Level<4 and System/TimeCreated[@SystemTime > '$After' and @SystemTime < '$Before']]"

foreach ( $LogType in $Logs ) {
    $ResultFile = "C:\temp\$ComputerName-EVENTS-$LogType.html"

    $HtmlDocument = Get-WinEvent -ComputerName $ComputerName -LogName $Logtype -FilterXPath $Filter | Group-Object Message | Sort-Object Count -Descending | ForEach-Object {
        [PSCustomObject]@{
            NumberOfEvents  = $_.Count
            FirstOccurrence = $_.Group[-1].TimeCreated
            LastOccurrence  = $_.Group[0].TimeCreated
            EventId         = $_.Group[0].Id
            Message         = $_.Name
            User            = $_.User
            Source          = $_.Source
        }
    } | ConvertTo-Html -Head $HtmlHead | Out-String

    # Send-MailMessage ... -Body $HtmlDocument -BodyAsHtml
    $HtmlDocument | Out-File $ResultFile
    Invoke-Item $ResultFile
}
Thank you in advance.
/* IT Engineer */

jvierra
Posts: 14145
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Unable to show Windows Event Source & Username?

Post by jvierra » Thu Jan 09, 2020 5:06 pm

Those names are only part of the individual members of the group. Each group member will be different. You are only enumerating the groups and assuming that a group has more than one member and less than 3 where a group can have any number of members more than one.
The logic and assumptions you are using are faulty and what you are trying to do cannot be done. Rethink your requirements and state them in a way that accounts for the data being returned.

The following will give you something but it won't make much sense:

Code: Select all

            [PSCustomObject]@{
                NumberOfEvents  = $_.Count
                FirstOccurrence = $_.Group[-1].TimeCreated
                LastOccurrence  = $_.Group[0].TimeCreated
                EventId         = $_.Group[0].Id
                Message         = $_.Group[0].Name
                User            = $_.Group[0].User
                Source          = $_.Group[0].Source
            }

User avatar
ITEngineer
Posts: 187
Joined: Wed Oct 12, 2011 10:52 am

Re: Unable to show Windows Event Source & Username?

Post by ITEngineer » Thu Jan 09, 2020 6:17 pm

Mr. Vierra,

AFAIK, The filter System/Level<4 means to show any event log with the type of Warning, Error and Critical.

Code: Select all

        Verbose       = 5
        Informational = 4
        Warning       = 3
        Error         = 2
        Critical      = 1
        LogAlways     = 0
Does it mean that it is not possible to add an additional column to shows which service/source of the Event?

I understand that User may not be always populated, hence I can remove that column or member.
/* IT Engineer */

jvierra
Posts: 14145
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Unable to show Windows Event Source & Username?

Post by jvierra » Thu Jan 09, 2020 6:35 pm

The server is part of the record. Just add it. It is called "MachineName".

Yes I know the levels. They exist in every record. Level < 4 means show all level that are less than 4.

"User" is not part of every event's system properties.

I think you really want "ProviderName" and "UserId"

The following will give you all of the "System" properties.

get-winevent -max 1 | fl *

User avatar
ITEngineer
Posts: 187
Joined: Wed Oct 12, 2011 10:52 am

Re: Unable to show Windows Event Source & Username?

Post by ITEngineer » Thu Jan 09, 2020 8:25 pm

jvierra wrote:
Thu Jan 09, 2020 6:35 pm
The server is part of the record. Just add it. It is called "MachineName".

Yes I know the levels. They exist in every record. Level < 4 means show all level that are less than 4.

"User" is not part of every event's system properties.

I think you really want "ProviderName" and "UserId"

The following will give you all of the "System" properties.

get-winevent -max 1 | fl *
Yes, exactly,

it is working as expected :-)

many thanks for the pointer.
/* IT Engineer */

Locked