SOLVED

How to get event log from Server

Copper Contributor

Dear All,

 

Please help me. I've tried to create PS script in order to get event log when file is either deleted or created by somebody on ShareFile Server. It's working if they just create or delete only 1 file notification will be sent via email but when they delete or create more than 1 file at the same time the notification will be sent only the latest event not all event. Anyone please help me. Please see my PS script below.

 

 

 

$EventId = 4663

##$A = Get-WinEvent -MaxEvents 1  -FilterHashTable @{Logname = "Security" ; ID = $EventId}
$A = Get-WinEvent -MaxEvents 1  -FilterHashTable @{Logname = "Security" ; ID = $EventId} | Where {$_.properties[10].value -eq "0x4"}
##Get-WinEvent -MaxEvents 1  -FilterHashTable @{Logname = "Security" ; ID = 4663} | Where {$_.properties[10].value -eq "0x4"} | select *

foreach($event in $A){
$EventIDA = $event.Id
$MachineNameA = $event.MachineName
$TimeA = $event.TimeCreated
$TaskDisplayName = $event.TaskDisplayName
$RecordID = $event.RecordId
$AccountName = $event.Properties[1].value
$AccountDomain = $event.Properties[2].value
$ObjectName = $event.Properties[6].value
$Access = $event.Properties[12].value
$test = $event.Properties
}
#Write-Output $ObjectName'.evtx'

##Get date and time to create event log file --Comment
$logfile = get-date -Format yyyyMMdd_hhmmsstt

##Export event log to .evtx file
$EventSession = New-Object System.Diagnostics.Eventing.Reader.EventLogSession
#$EventSession.ExportLog('Security','LogName',"*[System[EventRecordID = $RecordID]]", "E:\BackupEventLog\RecordID.evtx")
$EventSession.ExportLog('Security','LogName',"*[System[EventRecordID = $RecordID]]", "E:\BackupEventLog\RecordID.evtx")
Rename-Item -Path "E:\BackupEventLog\RecordID.evtx" -NewName "$logfile.evtx"



$EmailFrom = "MyShareFileServer"
$EmailTo = "My Email", "My Colleague Email"
$Subject ="Alert From $MachineNameA"
$MessageA = $A.Message

$BodyA = "Event log URL: \\Server IP Address\E$\BackupEventLog 
`nNotification message 
`----------------------------------------------
`EventID: $EventIDA`nMachineName: $MachineNameA `nTime: $TimeA `nTask Display Name: $TaskDisplayName `nLogin Name: $AccountDomain\$AccountName `nPath: $ObjectName `nMessage: $MessageA"
##$BodyB = "EventID: $EventIDB`nSource: $SourceB`nMachineName: $MachineNameB `nTime: $TimeB `nMessage: $MessageB"

$SMTPServer = "SMTP IP Address"
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 587)
$SMTPClient.EnableSsl = $true
Send-MailMessage -SmtpServer $SMTPServer -From $EmailFrom -To $EmailTo -Subject $Subject -Body "$BodyA" -Attachments "E:\BackupEventLog\$logfile.evtx"

 

 

10 Replies
best response confirmed by theyounngun (Copper Contributor)
Solution

@theyounngun 

Hi

You can check the schedule history and see what happens and how the task was executed, probably you will find something like Task Scheduler did not launch task "\MyScriptName" because instance "{317256a8-7ddf-4cf8-8267-90ab66c84907}" of the same task is already running.

The Delete event log are listed one each another and I think that the Task Scheduler won't start the script as another instance is running.

What you can do is add a small delay to the script and let the script read multiple events and send them in one report, instead of having each event sent alone

@farismalaeb
Hi
Can you guide me what kind of command or how to add a small delay to script ? I'm not good at PS script. By the way do I have to make a change "MaxEvents" ?

Thank you.
sleep 20
Ok thanks. I will try to add that to script and might come to you again.

Have a nice day.
Hello Farismalaeb.

I checked the command is Start-Sleep -s 20 and I have to put at the end of script Am I correct ?

Thank you
Hi,
it's better to keep it in the top
Ok Noted. I will try.

Thank so much.

@theyounngun 

Also you can try it from here

farismalaeb_0-1614925824388.png

You can delay the script to be triggered on a delay time.

 

Excellent ! Thank so much.
Hopefully, it helps you 🙂

Please if the Answer was helpful, Click on Best Response.
1 best response

Accepted Solutions
best response confirmed by theyounngun (Copper Contributor)
Solution

@theyounngun 

Hi

You can check the schedule history and see what happens and how the task was executed, probably you will find something like Task Scheduler did not launch task "\MyScriptName" because instance "{317256a8-7ddf-4cf8-8267-90ab66c84907}" of the same task is already running.

The Delete event log are listed one each another and I think that the Task Scheduler won't start the script as another instance is running.

What you can do is add a small delay to the script and let the script read multiple events and send them in one report, instead of having each event sent alone

View solution in original post