Powershell Query

_-J-_ · 26 Mar 2013 at 00:01

Can anyone shed light on the following, running the below command to try and start scripting a tool to check our servers

get-wmiobject win32_ntlogevent -filter ("Type='Error'")

Or also tried the following as a test

get-wmiobject win32_ntlogevent -filter ("EventCode='1030'") >> test.txt

And the output is

Category : 0
Category String :
Event Code :
Event Identifier :
Type Event :
Insertion Strings :
Log File :
Message : Windows cannot query for the list of Group Policy objects. Check the event log for possible message
s previously logged by the policy engine that describes the reason for this.

Record Number :
Source Name :
Time Generated :
Time Written :
Type : Error
User Name :

Basically need to know why the fields are blank as this needs to be populated, and the version of PowerShell is 1 and this cannot be upgraded.

Thanks in advance

DiscoDave · 26 Mar 2013 at 10:04

Hi J,

Is the output from get-wmiobject win32_ntlogevent -filter ("Type='Error'") also blank? Which server OS are you querying against?

ASE001 · 26 Mar 2013 at 11:30

get-wmiobject -class win32_NTlogevent -computer .| select -first 10 | out-file “C:\temp\class1.txt”

Have look at this, you may be able to develop this further.

_-J-_ · 26 Mar 2013 at 22:22

DiscoDave said:
Hi J,

Is the output from get-wmiobject win32_ntlogevent -filter ("Type='Error'") also blank? Which server OS are you querying against?

Running it on 2003 R2 and that command returns results, but the same fields are blank.

ASE001 said:
get-wmiobject -class win32_NTlogevent -computer .| select -first 10 | out-file “C:\temp\class1.txt”

Have look at this, you may be able to develop this further.

Running that (had to take out the out-file bit, think thats PS2?) gets 10 records but the same fields are blank, example below

Category : 0
Category String :
Event Code :
Event Identifier :
Type Event :
Insertion Strings :
Log File :
Message : Security policy in the Group policy objects has been applied successfully.

Record Number :
Source Name :
Time Generated :
Time Written :
Type : Information
User Name :

n30_mkii · 26 Mar 2013 at 23:03

Why not use the native cmdlets for events rather than Wmi? Especially if you are working locally?

Get-eventlog and get-event

_-J-_ · 29 Mar 2013 at 23:08

That works much better, now need to figure out how to run it on a remote machine. Wish we could install PowerShell 2!

n30_mkii · 30 Mar 2013 at 20:21

$filename = "FileName{0:ddMMyyyy-HHmm}" -f (Get-Date)
$comps = Import-Csv -Path C:\CompNames.txt -Delimiter ","
foreach($item in $comps){
Get-EventLog -ComputerName $item.ComputerName -LogName System -Newest 20 -EntryType Error | Export-Csv -Path "C:\$filename.csv" -Force
}

Example of CompName

Server1,TS
Server2,SQL

Any help?

SoundsGood · 1 Apr 2013 at 21:16

If you're doing this perhaps a central event log is a good idea

_-J-_ · 2 Apr 2013 at 06:55

n30_mkii said:
$filename = "FileName{0:ddMMyyyy-HHmm}" -f (Get-Date)
$comps = Import-Csv -Path C:\CompNames.txt -Delimiter ","
foreach($item in $comps){
Get-EventLog -ComputerName $item.ComputerName -LogName System -Newest 20 -EntryType Error | Export-Csv -Path "C:\$filename.csv" -Force
}

Example of CompName

Server1,TS
Server2,SQL

Any help?

The -ComputerName item does not work on PowerShell V1. This is the pain of not being able to install PowerShell 2 or PowerShell add-ins.