Skip to content

Commit b937270

Browse files
SQLDBAWithABeardSQLDBAWithABeard
authored
Create WindowsEventsDuringATimeSpan.ipynb
1 parent e900767 commit b937270

File tree

1 file changed

+157
-0
lines changed

1 file changed

+157
-0
lines changed

Diff for: notebooks/NotDotNet/OS/WindowsEventsDuringATimeSpan.ipynb

+157
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,157 @@
1+
{
2+
"metadata": {
3+
"kernelspec": {
4+
"name": "powershell",
5+
"display_name": "PowerShell"
6+
},
7+
"language_info": {
8+
"name": "powershell",
9+
"codemirror_mode": "shell",
10+
"mimetype": "text/x-sh",
11+
"file_extension": ".ps1"
12+
}
13+
},
14+
"nbformat_minor": 2,
15+
"nbformat": 4,
16+
"cells": [
17+
{
18+
"cell_type": "markdown",
19+
"source": [
20+
"# Gathering information about a server from the Windows Event logs for a particular time\r\n",
21+
"\r\n",
22+
"Jess Pomfret has written a great blog about how you can use PowerShell to gather the Windows Event logs from a server for a particular period of time\r\n",
23+
"\r\n",
24+
"[https://jesspomfret.com/get-winevent/](https://jesspomfret.com/get-winevent/)\r\n",
25+
"\r\n",
26+
"## Choosing the logs that you want to investigate\r\n",
27+
"\r\n",
28+
"You might choose to just start with the system and application event logs, in which case, skip the next block, but if you wish to dig further, you will need to know the names of the logs. You can find the list of Windows Event Logs with records on a server with the code below. It will pop-up in a seperate window which will probably be hidden but you will see the flashing PowerShell Icon in the taskbar.\r\n",
29+
"\r\n",
30+
"You can search in the out-gridview box in the top bar to filter. It will take a couple minutes to run.\r\n",
31+
"\r\n",
32+
""
33+
],
34+
"metadata": {
35+
"azdata_cell_guid": "efc348a7-c944-4749-9f16-e5bf8a7215f1"
36+
}
37+
},
38+
{
39+
"cell_type": "code",
40+
"source": [
41+
"$computerName = ''\r\n",
42+
"Get-WinEvent -ListLog * -ComputerName $computerName | \r\n",
43+
"Where-Object RecordCount | \r\n",
44+
"Out-GridView"
45+
],
46+
"metadata": {
47+
"azdata_cell_guid": "9e1ccdc0-0994-4433-9d1e-1093a2040638"
48+
},
49+
"outputs": [],
50+
"execution_count": null
51+
},
52+
{
53+
"cell_type": "markdown",
54+
"source": [
55+
"Once you have decided which logs to interogate , you can add the computer name, the date and time you wish to investigate and the window in minutes. This will search before and after the time, you specify"
56+
],
57+
"metadata": {
58+
"azdata_cell_guid": "88a1a573-3200-44ba-a6d6-9d7ff8ec0f2d"
59+
}
60+
},
61+
{
62+
"cell_type": "code",
63+
"source": [
64+
"$computerName = '' ## Add the computername here\r\n",
65+
"$issueDateTime = get-date('2020-07-31 21:30') ## Add the date and time you are interested in here in the format 'yyyy-MM-dd HH:mm'\r\n",
66+
"$windowMins = 30 ## The number of minutes before and after the issue date time to gather information for\r\n",
67+
"$lognames = 'system','application' ## The log names you wish to interogate\r\n",
68+
"\r\n",
69+
"$winEventFilterHash = @{\r\n",
70+
" LogName = $lognames\r\n",
71+
" StartTime = $issueDateTime.AddMinutes(-($windowMins/2))\r\n",
72+
" EndTime = $issueDateTime.AddMinutes(($windowMins/2))\r\n",
73+
"}\r\n",
74+
"\r\n",
75+
"# Run this first to make sure output width does not mess with output - Update output buffer size to prevent clipping in Visual Studio Code output window.\r\n",
76+
"if( $Host -and $Host.UI -and $Host.UI.RawUI ) {\r\n",
77+
" $rawUI = $Host.UI.RawUI\r\n",
78+
" $oldSize = $rawUI.BufferSize\r\n",
79+
" $typeName = $oldSize.GetType( ).FullName\r\n",
80+
" $newSize = New-Object $typeName (500, $oldSize.Height)\r\n",
81+
" $rawUI.BufferSize = $newSize\r\n",
82+
" }\r\n",
83+
"\r\n",
84+
"Get-WinEvent -FilterHashtable $winEventFilterHash -ComputerName $computerName | Select-Object LogName,\r\n",
85+
"ProviderName,\r\n",
86+
"TimeCreated,\r\n",
87+
"Id,\r\n",
88+
"LevelDisplayName,\r\n",
89+
"@{l='UserName';e={(New-Object System.Security.Principal.SecurityIdentifier($_.UserId)).Translate([System.Security.Principal.NTAccount])}}, \r\n",
90+
"Message | Format-Table -AutoSize -Wrap"
91+
],
92+
"metadata": {
93+
"azdata_cell_guid": "7ae2cf02-07a8-4cf9-9b7e-d13f428a9276"
94+
},
95+
"outputs": [
96+
{
97+
"output_type": "stream",
98+
"name": "stdout",
99+
"text": "\nLogName ProviderName TimeCreated Id LevelDisplayName UserName Message \n------- ------------ ----------- -- ---------------- -------- ------- \nApplication SQLSERVERAGENT 31/07/2020 21:43:12 208 Warning SQL Server Scheduled Job 'SQLWATCH-INTERNAL-CHECKS' (0x1445E6E50C164A42BD2EFE701C825AAC) - Status: Failed - Invoked on: 2020-07-31 22:42:43 - Message: The job failed. The Job was invoked by Schedule 90 (SQLWATCH-INTERNAL-CHECKS). The last step to run was step 1 (dbo.usp_sqlwatch_internal_process_checks).\nApplication SQLSERVERAGENT 31/07/2020 21:37:16 208 Warning SQL Server Scheduled Job 'SQLWATCH-INTERNAL-CHECKS' (0x1445E6E50C164A42BD2EFE701C825AAC) - Status: Failed - Invoked on: 2020-07-31 22:36:43 - Message: The job failed. The Job was invoked by Schedule 90 (SQLWATCH-INTERNAL-CHECKS). The last step to run was step 1 (dbo.usp_sqlwatch_internal_process_checks).\nApplication SQLSERVERAGENT 31/07/2020 21:23:18 208 Warning SQL Server Scheduled Job 'SQLWATCH-INTERNAL-CHECKS' (0x1445E6E50C164A42BD2EFE701C825AAC) - Status: Failed - Invoked on: 2020-07-31 22:21:43 - Message: The job failed. The Job was invoked by Schedule 90 (SQLWATCH-INTERNAL-CHECKS). The last step to run was step 1 (dbo.usp_sqlwatch_internal_process_checks).\n\n\n. {\n>> $computerName = 'CEAWA06432.EMEA.ZURICH.CORP' ## Add the computername here\n>> $issueDateTime = get-date('2020-07-31 21:3"
100+
}
101+
],
102+
"execution_count": 4
103+
},
104+
{
105+
"cell_type": "markdown",
106+
"source": [
107+
"## Exporting it to Excel\r\n",
108+
"\r\n",
109+
"If you wish to export the results to Excel for analysis, you can use the ImportExcel module and the code below. Again, you will need to update the Computer name, Windows Event Log names and time as before"
110+
],
111+
"metadata": {
112+
"azdata_cell_guid": "65acdf4d-7db7-4a94-9a35-46b15ef80b2b"
113+
}
114+
},
115+
{
116+
"cell_type": "code",
117+
"source": [
118+
"$computerName = '' ## Add the computername here\r\n",
119+
"$issueDateTime = get-date('2020-07-31 21:30') ## Add the date and time you are interested in here in the format 'yyyy-MM-dd HH:mm'\r\n",
120+
"$windowMins = 30 ## The number of minutes before and after the issue date time to gather information for\r\n",
121+
"$lognames = 'system','application' ## The log names you wish to interogate\r\n",
122+
"$filepath = 'C:\\temp\\' # path to folder for the Excel workbook\r\n",
123+
"\r\n",
124+
"$winEventFilterHash = @{\r\n",
125+
" LogName = 'system','application'\r\n",
126+
" StartTime = $issueDateTime.AddMinutes(-($windowMins/2))\r\n",
127+
" EndTime = $issueDateTime.AddMinutes(($windowMins/2))\r\n",
128+
"}\r\n",
129+
"\r\n",
130+
"$issueDateTimeexcel = Get-Date($issueDateTime) -Format 'yyyy-MM-dd_HH_MM'\r\n",
131+
"\r\n",
132+
"$Worksheetname = $computerName.split('.')[0] + '_' + $issueDateTimeexcel\r\n",
133+
"$filepath = $filepath + $WorksheetName + '.xlsx'\r\n",
134+
"Get-WinEvent -FilterHashtable $winEventFilterHash -ComputerName $computerName | Select-Object LogName,\r\n",
135+
"ProviderName,\r\n",
136+
"TimeCreated,\r\n",
137+
"Id,\r\n",
138+
"LevelDisplayName,\r\n",
139+
"@{l='UserName';e={(New-Object System.Security.Principal.SecurityIdentifier($_.UserId)).Translate([System.Security.Principal.NTAccount])}}, \r\n",
140+
"Message | Export-Excel -Path $filepath -FreezeTopRow -AutoSize -AutoFilter -WorksheetName $Worksheetname -BoldTopRow \r\n",
141+
"\r\n",
142+
"Invoke-Item $filepath"
143+
],
144+
"metadata": {
145+
"azdata_cell_guid": "adcf18fd-d4cc-449f-b970-633ed83ab815"
146+
},
147+
"outputs": [
148+
{
149+
"name": "stdout",
150+
"text": "",
151+
"output_type": "stream"
152+
}
153+
],
154+
"execution_count": 4
155+
}
156+
]
157+
}

0 commit comments

Comments
 (0)