Javy de Koning

Welcome

Geek 🤓, love sports 🏃‍♂️🏋️‍♂️, food 🍛,
tech , @ Amsterdam ❌❌❌.

Javy de Koning

3 minutes read

Issue

Last week I ran into a few DFS issues. When troubleshooting I like to actively watch the log file, or in this case, the Windows Eventlog. On Linux I would use tail -f but what about Windows Eventlog? Also, I only needed a certain part of the information, so there is a need to parse the Eventlog as well. Powershell to the rescue!

Powershell solution

So we need to:

  1. Get eventlog entries -> Get-Eventlog
  2. Parse output -> Select-String
  3. Keep tailing -> While ($true) {Do something}

Filtering events

So let`s look at the command syntax to find information we can filter on.

Get-Help Get-Eventlog

Ok, so here we can use “LogName”,“ComputerName”,“EntryType”,“Message” and “Source”. That should be enough, lets have a look.

Get-EventLog -LogName 'dfs replication' -ComputerName 'Server01' -EntryType 'Information' -Message '*conflict*' -Source 'DFSR' -Newest 1 | Format-List -Property *


EventID            : 4412
MachineName        : Server01
Data               : {}
Index              : 3915869
Category           : (0)
CategoryNumber     : 0
EntryType          : Information
Message            : The DFS Replication service
detected that a file was changed on multiple
servers. A conflict resolution algorithm was
used to determine the winning file.

 The losing file was moved to the Conflict and
 Deleted folder. Additional Information:

Original File Path: C:\DFS\somepdffile.pdf

New Name in Conflict Folder: xxx

Replicated Folder Root: C:\DFS\

File ID: xxx

Replicated Folder Name: DFS

Replicated Folder ID: xxx

Replication Group Name: xxx

Replication Group ID: xxx

Member ID: xxx

Partner Member ID: xxx

Source             : DFSR
ReplacementStrings : {xxx}
InstanceId         : 1073746236
TimeGenerated      : 10/29/2015 11:51:20 AM
TimeWritten        : 10/29/2015 11:51:20 AM
UserName           :
Site               :
Container          :

Perfect!

Extracting the relevant information

Ok so we found the events we are looking for but are only interested in the “Message” property. This is easily extracted by piping to “Select-Object”. Even more specifically, we only need the “Original File Path” from the message. For that we can use “Select-String”. Finally we use “-replace” to remove the “Original File Path: " prefix.

Get-EventLog -LogName 'dfs replication' `
             -ComputerName 'Server01' `
             -EntryType 'Information' `
             -Message '*conflict*' `
             -Source 'DFSR' `
             -Newest 1 |
Select-Object -Property message |
Select-String -Pattern 'Original.*' |
ForEach-Object -Process {$_.matches.value `
  -replace 'Original File Path: ',''}

C:\DFS\somepdffile.pdf

Great! Now we have the info we need.

Tailing the Eventlog

Eventlog entries have a unique and incrementing “Index” value. We can use Get-EventLog > to find the latest entry and go from there.

Get-EventLog -LogName System -Newest 1 |
  Format-List -Property *

EventID            : 7036
MachineName        : Server01
Data               : {}
Index              : 10238

We can use the “Index” together with the “-Newest” parameter to filter on new events. Put that together with a “While” loop and we’ve got our-self a nice solution! Here’s the final result:

$logname   = 'dfs replication'
$msgfilter = '*conflict*'
$index     = (Get-EventLog -LogName $logname -Newest 1).Index

while ($true)
{
  Start-Sleep -Seconds 1
  $index2  = (Get-EventLog -LogName $logname -Newest 1).index

  Get-EventLog -LogName 'dfs replication' `
               -EntryType 'Information' `
               -ComputerName 'Server01' `
               -Message '*conflict*' `
               -Source 'DFSR' `
               -Newest ($index2 - $index) |
  Select-Object -Property message |
  Select-String -Pattern 'Original.*' |
  ForEach-Object -Process {
    $_.matches.value -replace 'Original File Path: ', ''
  }
  $index = $index2
}
comments powered by Disqus

Recent posts

See more

Categories

About

There should go some text here but I'm to lazy to write it.