EventLog Monitoring

2017-04-01
 |  No Comments

The other day I needed to analyse event logs for a certain app that users were complaining about.

I used powershell to filter and retrieve the logs and then excel and pivot charts to identify the problem exceptions/machines/users

Powershell

Things to note:

  • The app ran on 6 citrix servers (line 2) and
  • some of the useful info was hidden in the text of the error message. Regular Expressions were used to capture the exception type and the current user. (lines 7-8)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 
#event logs
$ComputerNames = @("Machine01","Machine02","Machine03","Machine04","Machine05","Machine06")
$ErrorList = @()
$StartTime = (Get-Date).Date.AddDays(-30)
$EndTime =  (Get-Date).Date.AddDays(1)

$regexExType = [regex] '(?m)^Exception Type:\s(.+)$'
$regexUser = [regex] '(?m)^ExceptionManager.ThreadIdentity:\s(.+)$'

ForEach($Computer in $ComputerNames)
{
    $EvtLogs = Get-WinEvent -ComputerName $Computer -FilterHashtable @{LogName=Application’;StartTime=$StartTime;EndTime=$EndTime;ProviderName="ExceptionManagerPublishedException"}

    ForEach ($EvtLog in $EvtLogs)
    {
        $obj = New-Object PSObject

        $obj | Add-Member -MemberType NoteProperty -Name Server -Value $Computer
        $obj | Add-Member -MemberType NoteProperty -Name DateCreated -Value $EvtLog.TimeCreated.Date
        $obj | Add-Member -MemberType NoteProperty -Name TimeCreated -Value $EvtLog.TimeCreated
        $obj | Add-Member -MemberType NoteProperty -Name Level -Value $EvtLog.LevelDisplayName
        $obj | Add-Member -MemberType NoteProperty -Name Message -Value $EvtLog.Message
        $obj | Add-Member -MemberType NoteProperty -Name ExceptionType -Value ($regexExType.Match($EvtLog.Message)).Groups[1].Value
        $obj | Add-Member -MemberType NoteProperty -Name User -Value ($regexUser.Match($EvtLog.Message)).Groups[1].Value
        $obj | Add-Member -MemberType NoteProperty -Name UserDisplayName -Value (Get-ADUser ($regexUser.Match($EvtLog.Message)).Groups[1].Value.Replace("Domain\","").Trim()).Name

        #Write-Output $obj
        $ErrorList += $obj
    }
}


$ErrorList | Sort-Object TimeCreated | Export-Csv -Path "D:\Work\EventLog.csv" -Delimiter "," -Force -notype

 

Things to change to make it useful.

  • The computer names (line 2)
  • The RegEx to match various text in the message (lines 7-8 and 23-25)
  • The output to a csv file (line 33)

 

Excel

Open the csv file in Excel, select all and “Format as Table” (this makes it pretty as well as naming the table “Table1”)

Insert a Pivot Chart
SS1

Set the Range to “Table1” and tell it where to put it.
SS2

From there do the pivot table thing.
SS3

Tags: ,