Forum Discussion
Solved
How to get event log from Server
Dear All,
Please help me. I've tried to create PS script in order to get event log when file is either deleted or created by somebody on ShareFile Server. It's working if they just create or delete only 1 file notification will be sent via email but when they delete or create more than 1 file at the same time the notification will be sent only the latest event not all event. Anyone please help me. Please see my PS script below.
$EventId = 4663
##$A = Get-WinEvent -MaxEvents 1 -FilterHashTable @{Logname = "Security" ; ID = $EventId}
$A = Get-WinEvent -MaxEvents 1 -FilterHashTable @{Logname = "Security" ; ID = $EventId} | Where {$_.properties[10].value -eq "0x4"}
##Get-WinEvent -MaxEvents 1 -FilterHashTable @{Logname = "Security" ; ID = 4663} | Where {$_.properties[10].value -eq "0x4"} | select *
foreach($event in $A){
$EventIDA = $event.Id
$MachineNameA = $event.MachineName
$TimeA = $event.TimeCreated
$TaskDisplayName = $event.TaskDisplayName
$RecordID = $event.RecordId
$AccountName = $event.Properties[1].value
$AccountDomain = $event.Properties[2].value
$ObjectName = $event.Properties[6].value
$Access = $event.Properties[12].value
$test = $event.Properties
}
#Write-Output $ObjectName'.evtx'
##Get date and time to create event log file --Comment
$logfile = get-date -Format yyyyMMdd_hhmmsstt
##Export event log to .evtx file
$EventSession = New-Object System.Diagnostics.Eventing.Reader.EventLogSession
#$EventSession.ExportLog('Security','LogName',"*[System[EventRecordID = $RecordID]]", "E:\BackupEventLog\RecordID.evtx")
$EventSession.ExportLog('Security','LogName',"*[System[EventRecordID = $RecordID]]", "E:\BackupEventLog\RecordID.evtx")
Rename-Item -Path "E:\BackupEventLog\RecordID.evtx" -NewName "$logfile.evtx"
$EmailFrom = "MyShareFileServer"
$EmailTo = "My Email", "My Colleague Email"
$Subject ="Alert From $MachineNameA"
$MessageA = $A.Message
$BodyA = "Event log URL: \\Server IP Address\E$\BackupEventLog
`nNotification message
`----------------------------------------------
`EventID: $EventIDA`nMachineName: $MachineNameA `nTime: $TimeA `nTask Display Name: $TaskDisplayName `nLogin Name: $AccountDomain\$AccountName `nPath: $ObjectName `nMessage: $MessageA"
##$BodyB = "EventID: $EventIDB`nSource: $SourceB`nMachineName: $MachineNameB `nTime: $TimeB `nMessage: $MessageB"
$SMTPServer = "SMTP IP Address"
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 587)
$SMTPClient.EnableSsl = $true
Send-MailMessage -SmtpServer $SMTPServer -From $EmailFrom -To $EmailTo -Subject $Subject -Body "$BodyA" -Attachments "E:\BackupEventLog\$logfile.evtx"
Hi
You can check the schedule history and see what happens and how the task was executed, probably you will find something like Task Scheduler did not launch task "\MyScriptName" because instance "{317256a8-7ddf-4cf8-8267-90ab66c84907}" of the same task is already running.
The Delete event log are listed one each another and I think that the Task Scheduler won't start the script as another instance is running.
What you can do is add a small delay to the script and let the script read multiple events and send them in one report, instead of having each event sent alone
10 Replies
Hi
You can check the schedule history and see what happens and how the task was executed, probably you will find something like Task Scheduler did not launch task "\MyScriptName" because instance "{317256a8-7ddf-4cf8-8267-90ab66c84907}" of the same task is already running.
The Delete event log are listed one each another and I think that the Task Scheduler won't start the script as another instance is running.
What you can do is add a small delay to the script and let the script read multiple events and send them in one report, instead of having each event sent alone
- farismalaeb
Hi
Can you guide me what kind of command or how to add a small delay to script ? I'm not good at PS script. By the way do I have to make a change "MaxEvents" ?
Thank you.- sleep 20
