Monthly Archives: July 2009

Parsing Event Logs with Powershell

Here’s something for every Administrator out there, parsing the event logs in Windows quickly and easily.

In Powershell, there is the “Get-EventLog” command.

And do you know HOW EASY it is to use?  And it works on both LOCAL and REMOTE eventlogs (Presuming permissions, etc etc etc)

Here’s the basic command line

    Get-EventLog [-AsString] [-ComputerName <string[]>] [-List] [<CommonParameters>]

    Get-EventLog [-LogName] <string> [[-InstanceId] <Int64[]>] [-After <DateTime>] [-AsBaseObject] [-Before <DateTime>] [-ComputerName <string[]>] [-EntryType <string[]>] [-Index <Int32[]>] [-Message <string>] [-Newest <int>] [-Source <string[]>] [-UserName <string[]>] [<CommonParameters>]

Now I’m going to break that down into something SIMPLE and USEFUL

All you REALLY need to know to WORK with this is a simple command. “-like”

So here we’re going to get my Application Log for any time it had OUTLOOK crash

GET-EVENTLOG –LOGNAME Application | where { $-.Message –like “*outlook*” }

All that does is do wildcard search for the word Outlook ANYWHERE in the message.   If you’ve ever tried digging through the event Logs, you know what it’s like.  The Filter option JUST doesn’t cut it when you want to filter out the contents of the error messages.

Here in Powershell land?  Well we’re just getting started!

You can search FAILURE AUDITS for a particular user too!  Now of course you have to have the appropriate logging turned on first.   And the second Caveat is you HAVE to run Powershell “As Administrator” (Right Click, run as Administrator) as the Security logs are, shall we say, a little special.

But with that SAME command and an extra parameter –COMPUTERNAME I can find every time some failed to type his/her password properly.

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { $-.EntryType –eq “FailureAudit” }

And if you PIPE that into an EXPORT-CSV like so

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { $-.EntryType –eq “FailureAudit” } | EXPORT-CSV C:\MYRESULTS.CSV

You can have logs you can dig through with Excel. 

But wait!  There’s more.

I can get REALLY granular!  I can look for which USER was failing on their password and filter THEM into an even smaller log.  Because Powershell (unlike the Eventviewer Filter) can SEE and Filter out results in the Message field!

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { ($-.EntryType –eq “FailureAudit”) –and (*-.Message –like “*JOHN.SMITH*”) }

And of course like before, you can pipe all of this into a useful CSV file.  This output as well contains ALL the details from the event Log, including Dates and Times!

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { ($-.EntryType –eq “FailureAudit”) –and (*-.Message –like “*JOHN.SMITH*”) } | EXPORT-CSV C:\BADPW.CSV

This is why I love Powershell.   Without any real difficulty, it make’s Administrator’s life SOOO Much easier.  And more productive.

Sean
The Energized Tech

FacebookTwitterGoogle+Share

Parsing Event Logs with Powershell

Here’s something for every Administrator out there, parsing the event logs in Windows quickly and easily.

In Powershell, there is the “Get-EventLog” command.

And do you know HOW EASY it is to use?  And it works on both LOCAL and REMOTE eventlogs (Presuming permissions, etc etc etc)

Here’s the basic command line

    Get-EventLog [-AsString] [-ComputerName <string[]>] [-List] [<CommonParameters>]

    Get-EventLog [-LogName] <string> [[-InstanceId] <Int64[]>] [-After <DateTime>] [-AsBaseObject] [-Before <DateTime>] [-ComputerName <string[]>] [-EntryType <string[]>] [-Index <Int32[]>] [-Message <string>] [-Newest <int>] [-Source <string[]>] [-UserName <string[]>] [<CommonParameters>]

Now I’m going to break that down into something SIMPLE and USEFUL

All you REALLY need to know to WORK with this is a simple command. “-like”

So here we’re going to get my Application Log for any time it had OUTLOOK crash

GET-EVENTLOG –LOGNAME Application | where { $-.Message –like “*outlook*” }

All that does is do wildcard search for the word Outlook ANYWHERE in the message.   If you’ve ever tried digging through the event Logs, you know what it’s like.  The Filter option JUST doesn’t cut it when you want to filter out the contents of the error messages.

Here in Powershell land?  Well we’re just getting started!

You can search FAILURE AUDITS for a particular user too!  Now of course you have to have the appropriate logging turned on first.   And the second Caveat is you HAVE to run Powershell “As Administrator” (Right Click, run as Administrator) as the Security logs are, shall we say, a little special.

But with that SAME command and an extra parameter –COMPUTERNAME I can find every time some failed to type his/her password properly.

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { $-.EntryType –eq “FailureAudit” }

And if you PIPE that into an EXPORT-CSV like so

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { $-.EntryType –eq “FailureAudit” } | EXPORT-CSV C:\MYRESULTS.CSV

You can have logs you can dig through with Excel. 

But wait!  There’s more.

I can get REALLY granular!  I can look for which USER was failing on their password and filter THEM into an even smaller log.  Because Powershell (unlike the Eventviewer Filter) can SEE and Filter out results in the Message field!

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { ($-.EntryType –eq “FailureAudit”) –and (*-.Message –like “*JOHN.SMITH*”) }

And of course like before, you can pipe all of this into a useful CSV file.  This output as well contains ALL the details from the event Log, including Dates and Times!

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { ($-.EntryType –eq “FailureAudit”) –and (*-.Message –like “*JOHN.SMITH*”) } | EXPORT-CSV C:\BADPW.CSV

This is why I love Powershell.   Without any real difficulty, it make’s Administrator’s life SOOO Much easier.  And more productive.

Sean
The Energized Tech

FacebookTwitterGoogle+Share

WINDOWS 7 and SERVER 2008 R2 RTM! YEAH! WOOOO!!!

Did you hear the news?

FRESH OFF THE PRESS! WINDOWS 7 and SERVER 2008 R2 are OFFICIALLY RELEASED TO MANUFACTURING!

Caught this in Twitter from the @MICROSOFT feed.  Here’s the posting for all to see

http://windowsteamblog.com/blogs/windows7/archive/2009/07/22/windows-7-has-been-released-to-manufacturing.aspx

Oh read it and sing! YES!   The SINGLE greatest day in HISTORY is HERE!

I’d be dancing and singing about in my cubicle right now if it weren’t for the fact that I would get “called out” for it :)

But *sniff* It’s HERE!!!!!! I’m WATCHING my Technet subscription right now like a hawk.

Windows 7 !  Redmond!  Microsoft!  THANK YOU for RTM so quick.

Tomorrow is going to be a fantastic day and the future even better.

7 is here.

FacebookTwitterGoogle+Share

WINDOWS 7 and SERVER 2008 R2 RTM! YEAH! WOOOO!!!

Did you hear the news?

FRESH OFF THE PRESS! WINDOWS 7 and SERVER 2008 R2 are OFFICIALLY RELEASED TO MANUFACTURING!

Caught this in Twitter from the @MICROSOFT feed.  Here’s the posting for all to see

http://windowsteamblog.com/blogs/windows7/archive/2009/07/22/windows-7-has-been-released-to-manufacturing.aspx

Oh read it and sing! YES!   The SINGLE greatest day in HISTORY is HERE!

I’d be dancing and singing about in my cubicle right now if it weren’t for the fact that I would get “called out” for it :)

But *sniff* It’s HERE!!!!!! I’m WATCHING my Technet subscription right now like a hawk.

Windows 7 !  Redmond!  Microsoft!  THANK YOU for RTM so quick.

Tomorrow is going to be a fantastic day and the future even better.

7 is here.

FacebookTwitterGoogle+Share

Installing GFI Faxmaker NETPRINTQUEUE2FAX drivers in Windows Vista / Server 2008

Well I had a real head scratcher.

Had to setup a feature on a pc called “NETPRINTQUEUE2FAX” from GFI.  The procedure is dead simple.

Add UNC Virtual printer from GFI Fax server (just like adding any other printer)

Send documents to Printer with formatted commands.

Sit back and enjoy Frosty Beverages from a job well done.

Or that’s how it was supposed to be.  I knew there was nothing wrong with the server.   The guy that put it together was my boss who really knows his stuff.

And when I asked him “Hey, did you ever get the following problems adding this feature before?” He looked at me as if I had big pink antennae coming out of my head and I was wear a large fluffy koala bear for shoes.

Yes.  This seemed to be a truly dumb question waiting for an answer.

But I plugged away at it.   Here’s what happened.  On an X64 Server 2008 box, you would connect to the printer, life was good and nothing worked when you sent to the printer.  No errors, No application logs saying anything.

Not even a peep.

So I decided to go the other path.  Try the 32bit driver instead.

It looked at me and laughed.

When I added the 32 bit driver on a 32 bit Vista machine it kept WHINING and COMPLAINING about “I can’t find FAXMAKER.CAT”

So I searched.  I dug through GIGS and GIGS of file storage.  This file didn’t exist!

I pulled off a couple of tricks and yanked the MSI files for both the 64 bit version and the 32 bit version out of the TEMP folders.  And running a neat little trick from this article on Tech-Recipes.com I pulled out ALL the files the installers dumped.

But try as I might.  This file was from the PHANTOM ZONE!

Then I thought, let’s try a different approach.  Let’s add the driver first.  If the driver files are REALLY corrupt, then they won’t add.

And so I did.  I went to the list of printers.  I pulled up “File/Run as Administrator/Server Properties” to get my list of drivers.   I added the driver manually, browsed to the folder on GFI where the drivers were kept and SURPRISE!

And what do you think popped up in front of me the minute I tried?  This lovely little message

image

Hmmm so it appears the drivers were failing halfway through the install.  An no error message either!  Thanks a lot GFI!

So I manually added the drivers to each computer through the Printer console.  Both the 64bit *AND* the 32bit gave the same error.  But after being added FIRST and agreeing to the evil red error message, connecting to the NETPRINTQUEUE2FAX printer afterwards was fine.   In fact I was actually sending faxes with no problem.

So if you’re running GFI Faxmaker banging your head against the wall WHY the NETPRINTQUEUE2FAX isn’t working in Vista?  Take this answer and use it.

And *ahem*.  Somebody give GFI a little kick in the pants for lack of Quality Control. 

FacebookTwitterGoogle+Share

Installing GFI Faxmaker NETPRINTQUEUE2FAX drivers in Windows Vista / Server 2008

Well I had a real head scratcher.

Had to setup a feature on a pc called “NETPRINTQUEUE2FAX” from GFI.  The procedure is dead simple.

Add UNC Virtual printer from GFI Fax server (just like adding any other printer)

Send documents to Printer with formatted commands.

Sit back and enjoy Frosty Beverages from a job well done.

Or that’s how it was supposed to be.  I knew there was nothing wrong with the server.   The guy that put it together was my boss who really knows his stuff.

And when I asked him “Hey, did you ever get the following problems adding this feature before?” He looked at me as if I had big pink antennae coming out of my head and I was wear a large fluffy koala bear for shoes.

Yes.  This seemed to be a truly dumb question waiting for an answer.

But I plugged away at it.   Here’s what happened.  On an X64 Server 2008 box, you would connect to the printer, life was good and nothing worked when you sent to the printer.  No errors, No application logs saying anything.

Not even a peep.

So I decided to go the other path.  Try the 32bit driver instead.

It looked at me and laughed.

When I added the 32 bit driver on a 32 bit Vista machine it kept WHINING and COMPLAINING about “I can’t find FAXMAKER.CAT”

So I searched.  I dug through GIGS and GIGS of file storage.  This file didn’t exist!

I pulled off a couple of tricks and yanked the MSI files for both the 64 bit version and the 32 bit version out of the TEMP folders.  And running a neat little trick from this article on Tech-Recipes.com I pulled out ALL the files the installers dumped.

But try as I might.  This file was from the PHANTOM ZONE!

Then I thought, let’s try a different approach.  Let’s add the driver first.  If the driver files are REALLY corrupt, then they won’t add.

And so I did.  I went to the list of printers.  I pulled up “File/Run as Administrator/Server Properties” to get my list of drivers.   I added the driver manually, browsed to the folder on GFI where the drivers were kept and SURPRISE!

And what do you think popped up in front of me the minute I tried?  This lovely little message

image

Hmmm so it appears the drivers were failing halfway through the install.  An no error message either!  Thanks a lot GFI!

So I manually added the drivers to each computer through the Printer console.  Both the 64bit *AND* the 32bit gave the same error.  But after being added FIRST and agreeing to the evil red error message, connecting to the NETPRINTQUEUE2FAX printer afterwards was fine.   In fact I was actually sending faxes with no problem.

So if you’re running GFI Faxmaker banging your head against the wall WHY the NETPRINTQUEUE2FAX isn’t working in Vista?  Take this answer and use it.

And *ahem*.  Somebody give GFI a little kick in the pants for lack of Quality Control. 

FacebookTwitterGoogle+Share

Official dates for Windows 7 and Server 2008 R2

image

You can read the whole story here.  But straight from Microsoft we have ALL the dates officially released for Windows 7 and Server 2008R2

We all know from yesterdays news that the official RTM date is August 6th 2009.  Techs, Devs, IT Pros, Managers and most of the general population of the Planet EARTH are cheering about that.

But Not EVERYBODY can have Windows 7 on that day. 

But looking at those dates tells you one thing.  Summer is about to get a LOT more fun!  OEM’s will be receiving English media as EARLY as TOMORROW!  Technet, MSDN and Volume License as early as August 6th and 7th!

And if you’re looking ANY kind of Server deployment, Mid August is the time to target for with the unquenchable power of Server 2008R2 being released for the most part then!

And every IT Pro and Architect that’s an absolute speed freak has got to be quaking in their shoes to let loose this power!

FASTER BOOT TIMES!  Live Migration in Hyper-V!  A blazing rocket fast INTERFACE!  A system that’s praised by Mac, Linux AND PC’ users!

And oh… Did I mention the most important feature of Windows 7 and Server 2008R2?

The one you should get FOR THAT REASON ALONE?!

POWERSHELL V2 IS RELEASED IN THE O/S!!!

—————————

Oh THANK YOU THANK YOU THANK YOU MICROSOFT!

For bringing us CHRISTMAS in the SUMMER! w00t w00t w00t!

Sean
The over top the, can’t wait for August 6th 2009, singing and bouncing in his cubicle!

THE ENERGIZED TECH!

YEEEEEEEEEEEEEHHHHAAAAAAAAAAAA!!!!!!!!!!”

FacebookTwitterGoogle+Share