This page looks best with JavaScript enabled

Eventlog tailing and parsing the using Powershell!

 ·  β˜• 3 min read  ·  ✍️ Javy de Koning

Issue

Last week I ran into a few DFS issues. When troubleshooting I like to actively watch the log file, or in this case, the Windows Eventlog. On Linux I would use tail -f but what about Windows Eventlog? Also, I only needed a certain part of the information, so there is a need to parse the Eventlog as well. Powershell to the rescue!

Powershell solution

So we need to:

  1. Get eventlog entries -> Get-Eventlog
  2. Parse output -> Select-String
  3. Keep tailing -> While ($true) {Do something}

Filtering events

So let`s look at the command syntax to find information we can filter on.

1Get-Help Get-Eventlog

Ok, so here we can use “LogName”,“ComputerName”,“EntryType”,“Message” and “Source”. That should be enough, lets have a look.

 1Get-EventLog -LogName 'dfs replication' -ComputerName 'Server01' -EntryType 'Information' -Message '*conflict*' -Source 'DFSR' -Newest 1 | Format-List -Property *
 2
 3
 4EventID            : 4412
 5MachineName        : Server01
 6Data               : {}
 7Index              : 3915869
 8Category           : (0)
 9CategoryNumber     : 0
10EntryType          : Information
11Message            : The DFS Replication service
12detected that a file was changed on multiple
13servers. A conflict resolution algorithm was
14used to determine the winning file.
15
16 The losing file was moved to the Conflict and
17 Deleted folder. Additional Information:
18
19Original File Path: C:\DFS\somepdffile.pdf
20
21New Name in Conflict Folder: xxx
22
23Replicated Folder Root: C:\DFS\
24
25File ID: xxx
26
27Replicated Folder Name: DFS
28
29Replicated Folder ID: xxx
30
31Replication Group Name: xxx
32
33Replication Group ID: xxx
34
35Member ID: xxx
36
37Partner Member ID: xxx
38
39Source             : DFSR
40ReplacementStrings : {xxx}
41InstanceId         : 1073746236
42TimeGenerated      : 10/29/2015 11:51:20 AM
43TimeWritten        : 10/29/2015 11:51:20 AM
44UserName           :
45Site               :
46Container          :

Perfect!

Extracting the relevant information

Ok so we found the events we are looking for but are only interested in the “Message” property. This is easily extracted by piping to “Select-Object”. Even more specifically, we only need the “Original File Path” from the message. For that we can use “Select-String”. Finally we use “-replace” to remove the “Original File Path: " prefix.

 1Get-EventLog -LogName 'dfs replication' `
 2             -ComputerName 'Server01' `
 3             -EntryType 'Information' `
 4             -Message '*conflict*' `
 5             -Source 'DFSR' `
 6             -Newest 1 |
 7Select-Object -Property message |
 8Select-String -Pattern 'Original.*' |
 9ForEach-Object -Process {$_.matches.value `
10  -replace 'Original File Path: ',''}
11
12C:\DFS\somepdffile.pdf

Great! Now we have the info we need.

Tailing the Eventlog

Eventlog entries have a unique and incrementing “Index” value. We can use Get-EventLog > to find the latest entry and go from there.

1Get-EventLog -LogName System -Newest 1 |
2  Format-List -Property *
3
4EventID            : 7036
5MachineName        : Server01
6Data               : {}
7Index              : 10238

We can use the “Index” together with the “-Newest” parameter to filter on new events. Put that together with a “While” loop and we’ve got our-self a nice solution! Here’s the final result:

 1$logname   = 'dfs replication'
 2$msgfilter = '*conflict*'
 3$index     = (Get-EventLog -LogName $logname -Newest 1).Index
 4
 5while ($true)
 6{
 7  Start-Sleep -Seconds 1
 8  $index2  = (Get-EventLog -LogName $logname -Newest 1).index
 9
10  Get-EventLog -LogName 'dfs replication' `
11               -EntryType 'Information' `
12               -ComputerName 'Server01' `
13               -Message '*conflict*' `
14               -Source 'DFSR' `
15               -Newest ($index2 - $index) |
16  Select-Object -Property message |
17  Select-String -Pattern 'Original.*' |
18  ForEach-Object -Process {
19    $_.matches.value -replace 'Original File Path: ', ''
20  }
21  $index = $index2
22}

Javy de Koning
WRITTEN BY
Javy de Koning
Geek πŸ€“, Love sports πŸƒβ€β™‚οΈπŸ‹οΈβ€β™‚οΈ, Food πŸ›, Tech πŸ’», @Amsterdam ❌❌❌.