Skip to content

Commit da85fb0

Browse files
SQLDBAWithABeardSQLDBAWithABeard
committed
Added Windows Events gathering
1 parent 7108c0d commit da85fb0

File tree

2 files changed

+298
-0
lines changed

2 files changed

+298
-0
lines changed

Diff for: notebooks/NotDotNet/OS/WindowsEventsDuringATimeSpan.ipynb

+151
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,151 @@
1+
{
2+
"metadata": {
3+
"kernelspec": {
4+
"name": "powershell",
5+
"display_name": "PowerShell"
6+
},
7+
"language_info": {
8+
"name": "powershell",
9+
"codemirror_mode": "shell",
10+
"mimetype": "text/x-sh",
11+
"file_extension": ".ps1"
12+
}
13+
},
14+
"nbformat_minor": 2,
15+
"nbformat": 4,
16+
"cells": [
17+
{
18+
"cell_type": "markdown",
19+
"source": [
20+
"# Gathering information about a server from the Windows Event logs for a particular time\r\n",
21+
"\r\n",
22+
"Jess Pomfret has written a great blog about how you can use PowerShell to gather the Windows Event logs from a server for a particular period of time\r\n",
23+
"\r\n",
24+
"[https://jesspomfret.com/get-winevent/](https://jesspomfret.com/get-winevent/)\r\n",
25+
"\r\n",
26+
"## Choosing the logs that you want to investigate\r\n",
27+
"\r\n",
28+
"You might choose to just start with the system and application event logs, in which case, skip the next block, but if you wish to dig further, you will need to know the names of the logs. You can find the list of Windows Event Logs with records on a server with the code below. It will pop-up in a seperate window which will probably be hidden but you will see the flashing PowerShell Icon in the taskbar.\r\n",
29+
"\r\n",
30+
"You can search in the out-gridview box in the top bar to filter. It will take a couple minutes to run.\r\n",
31+
"\r\n",
32+
""
33+
],
34+
"metadata": {
35+
"azdata_cell_guid": "efc348a7-c944-4749-9f16-e5bf8a7215f1"
36+
}
37+
},
38+
{
39+
"cell_type": "code",
40+
"source": [
41+
"$computerName = ''\r\n",
42+
"Get-WinEvent -ListLog * -ComputerName $computerName | \r\n",
43+
"Where-Object RecordCount | \r\n",
44+
"Out-GridView"
45+
],
46+
"metadata": {
47+
"azdata_cell_guid": "9e1ccdc0-0994-4433-9d1e-1093a2040638"
48+
},
49+
"outputs": [],
50+
"execution_count": null
51+
},
52+
{
53+
"cell_type": "markdown",
54+
"source": [
55+
"Once you have decided which logs to interogate , you can add the computer name, the date and time you wish to investigate and the window in minutes. This will search before and after the time, you specify"
56+
],
57+
"metadata": {
58+
"azdata_cell_guid": "88a1a573-3200-44ba-a6d6-9d7ff8ec0f2d"
59+
}
60+
},
61+
{
62+
"cell_type": "code",
63+
"source": [
64+
"$computerName = '' ## Add the computername here\r\n",
65+
"$issueDateTime = get-date('2020-07-31 21:30') ## Add the date and time you are interested in here in the format 'yyyy-MM-dd HH:mm'\r\n",
66+
"$windowMins = 30 ## The number of minutes before and after the issue date time to gather information for\r\n",
67+
"$lognames = 'system','application' ## The log names you wish to interogate\r\n",
68+
"\r\n",
69+
"$winEventFilterHash = @{\r\n",
70+
" LogName = $lognames\r\n",
71+
" StartTime = $issueDateTime.AddMinutes(-($windowMins/2))\r\n",
72+
" EndTime = $issueDateTime.AddMinutes(($windowMins/2))\r\n",
73+
"}\r\n",
74+
"\r\n",
75+
"# Run this first to make sure output width does not mess with output - Update output buffer size to prevent clipping in Visual Studio Code output window.\r\n",
76+
"if( $Host -and $Host.UI -and $Host.UI.RawUI ) {\r\n",
77+
" $rawUI = $Host.UI.RawUI\r\n",
78+
" $oldSize = $rawUI.BufferSize\r\n",
79+
" $typeName = $oldSize.GetType( ).FullName\r\n",
80+
" $newSize = New-Object $typeName (500, $oldSize.Height)\r\n",
81+
" $rawUI.BufferSize = $newSize\r\n",
82+
" }\r\n",
83+
"\r\n",
84+
"Get-WinEvent -FilterHashtable $winEventFilterHash -ComputerName $computerName | Select-Object LogName,\r\n",
85+
"ProviderName,\r\n",
86+
"TimeCreated,\r\n",
87+
"Id,\r\n",
88+
"LevelDisplayName,\r\n",
89+
"@{l='UserName';e={(New-Object System.Security.Principal.SecurityIdentifier($_.UserId)).Translate([System.Security.Principal.NTAccount])}}, \r\n",
90+
"Message | Format-Table -AutoSize -Wrap"
91+
],
92+
"metadata": {
93+
"azdata_cell_guid": "7ae2cf02-07a8-4cf9-9b7e-d13f428a9276"
94+
},
95+
"outputs": [],
96+
"execution_count": null
97+
},
98+
{
99+
"cell_type": "markdown",
100+
"source": [
101+
"## Exporting it to Excel\r\n",
102+
"\r\n",
103+
"If you wish to export the results to Excel for analysis, you can use the ImportExcel module and the code below. Again, you will need to update the Computer name, Windows Event Log names and time as before"
104+
],
105+
"metadata": {
106+
"azdata_cell_guid": "65acdf4d-7db7-4a94-9a35-46b15ef80b2b"
107+
}
108+
},
109+
{
110+
"cell_type": "code",
111+
"source": [
112+
"$computerName = '' ## Add the computername here\r\n",
113+
"$issueDateTime = get-date('2020-07-31 21:30') ## Add the date and time you are interested in here in the format 'yyyy-MM-dd HH:mm'\r\n",
114+
"$windowMins = 30 ## The number of minutes before and after the issue date time to gather information for\r\n",
115+
"$lognames = 'system','application' ## The log names you wish to interogate\r\n",
116+
"$filepath = 'C:\\temp\\' # path to folder for the Excel workbook\r\n",
117+
"\r\n",
118+
"$winEventFilterHash = @{\r\n",
119+
" LogName = 'system','application'\r\n",
120+
" StartTime = $issueDateTime.AddMinutes(-($windowMins/2))\r\n",
121+
" EndTime = $issueDateTime.AddMinutes(($windowMins/2))\r\n",
122+
"}\r\n",
123+
"\r\n",
124+
"$issueDateTimeexcel = Get-Date($issueDateTime) -Format 'yyyy-MM-dd_HH_MM'\r\n",
125+
"\r\n",
126+
"$Worksheetname = $computerName.split('.')[0] + '_' + $issueDateTimeexcel\r\n",
127+
"$filepath = $filepath + $WorksheetName + '.xlsx'\r\n",
128+
"Get-WinEvent -FilterHashtable $winEventFilterHash -ComputerName $computerName | Select-Object LogName,\r\n",
129+
"ProviderName,\r\n",
130+
"TimeCreated,\r\n",
131+
"Id,\r\n",
132+
"LevelDisplayName,\r\n",
133+
"@{l='UserName';e={(New-Object System.Security.Principal.SecurityIdentifier($_.UserId)).Translate([System.Security.Principal.NTAccount])}}, \r\n",
134+
"Message | Export-Excel -Path $filepath -FreezeTopRow -AutoSize -AutoFilter -WorksheetName $Worksheetname -BoldTopRow \r\n",
135+
"\r\n",
136+
"Invoke-Item $filepath"
137+
],
138+
"metadata": {
139+
"azdata_cell_guid": "adcf18fd-d4cc-449f-b970-633ed83ab815"
140+
},
141+
"outputs": [
142+
{
143+
"output_type": "stream",
144+
"name": "stdout",
145+
"text": ""
146+
}
147+
],
148+
"execution_count": 4
149+
}
150+
]
151+
}

Diff for: notebooks/dotNETNotebooks/OS/WindowsEventsDuringATimeSpan.ipynb

+147
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,147 @@
1+
{
2+
"metadata": {
3+
"kernelspec": {
4+
"name": ".net-powershell",
5+
"display_name": ".NET (PowerShell)"
6+
},
7+
"language_info": {
8+
"name": "PowerShell",
9+
"version": "7.0",
10+
"mimetype": "text/x-powershell",
11+
"file_extension": ".ps1",
12+
"pygments_lexer": "powershell"
13+
}
14+
},
15+
"nbformat_minor": 2,
16+
"nbformat": 4,
17+
"cells": [
18+
{
19+
"cell_type": "markdown",
20+
"source": [
21+
"\r\n",
22+
"# Gathering information about a server from the Windows Event logs for a particular time\r\n",
23+
"\r\n",
24+
"Jess Pomfret has written a great blog about how you can use PowerShell to gather the Windows Event logs from a server for a particular period of time\r\n",
25+
"\r\n",
26+
"[https://jesspomfret.com/get-winevent/](https://jesspomfret.com/get-winevent/)\r\n",
27+
"\r\n",
28+
"## Choosing the logs that you want to investigate\r\n",
29+
"\r\n",
30+
"You might choose to just start with the system and application event logs, in which case, skip the next block, but if you wish to dig further, you will need to know the names of the logs. You can find the list of Windows Event Logs with records on a server with the code below. It will pop-up in a seperate window which will probably be hidden but you will see the flashing PowerShell Icon in the taskbar.\r\n",
31+
"\r\n",
32+
"You can search in the out-gridview box in the top bar to filter. It will take a couple minutes to run.\r\n",
33+
"\r\n",
34+
""
35+
],
36+
"metadata": {
37+
"azdata_cell_guid": "8efeb292-9e20-49a0-b007-71c979e4cebe"
38+
}
39+
},
40+
{
41+
"cell_type": "code",
42+
"source": [
43+
"$computerName = ''\r\n",
44+
"Get-WinEvent -ListLog * -ComputerName $computerName | \r\n",
45+
"Where-Object RecordCount | \r\n",
46+
"Out-GridView"
47+
],
48+
"metadata": {
49+
"azdata_cell_guid": "2211a8aa-4c75-4baf-b87c-ea91c0db2b06"
50+
},
51+
"outputs": [],
52+
"execution_count": null
53+
},
54+
{
55+
"cell_type": "markdown",
56+
"source": [
57+
"Once you have decided which logs to interogate , you can add the computer name, the date and time you wish to investigate and the window in minutes. This will search before and after the time, you specify"
58+
],
59+
"metadata": {
60+
"azdata_cell_guid": "4fd53a5e-9c27-4efe-b5b1-509147355a0f"
61+
}
62+
},
63+
{
64+
"cell_type": "code",
65+
"source": [
66+
"$computerName = '' ## Add the computername here\r\n",
67+
"$issueDateTime = get-date('2020-07-31 21:30') ## Add the date and time you are interested in here in the format 'yyyy-MM-dd HH:mm'\r\n",
68+
"$windowMins = 30 ## The number of minutes before and after the issue date time to gather information for\r\n",
69+
"$lognames = 'system','application' ## The log names you wish to interogate\r\n",
70+
"\r\n",
71+
"$winEventFilterHash = @{\r\n",
72+
" LogName = $lognames\r\n",
73+
" StartTime = $issueDateTime.AddMinutes(-($windowMins/2))\r\n",
74+
" EndTime = $issueDateTime.AddMinutes(($windowMins/2))\r\n",
75+
"}\r\n",
76+
"\r\n",
77+
"# Run this first to make sure output width does not mess with output - Update output buffer size to prevent clipping in Visual Studio Code output window.\r\n",
78+
"if( $Host -and $Host.UI -and $Host.UI.RawUI ) {\r\n",
79+
" $rawUI = $Host.UI.RawUI\r\n",
80+
" $oldSize = $rawUI.BufferSize\r\n",
81+
" $typeName = $oldSize.GetType( ).FullName\r\n",
82+
" $newSize = New-Object $typeName (500, $oldSize.Height)\r\n",
83+
" $rawUI.BufferSize = $newSize\r\n",
84+
" }\r\n",
85+
"\r\n",
86+
"Get-WinEvent -FilterHashtable $winEventFilterHash -ComputerName $computerName | Select-Object LogName,\r\n",
87+
"ProviderName,\r\n",
88+
"TimeCreated,\r\n",
89+
"Id,\r\n",
90+
"LevelDisplayName,\r\n",
91+
"@{l='UserName';e={(New-Object System.Security.Principal.SecurityIdentifier($_.UserId)).Translate([System.Security.Principal.NTAccount])}}, \r\n",
92+
"Message | Format-Table -AutoSize -Wrap"
93+
],
94+
"metadata": {
95+
"azdata_cell_guid": "b447de7e-3c33-4215-935e-d0a21b490318"
96+
},
97+
"outputs": [],
98+
"execution_count": null
99+
},
100+
{
101+
"cell_type": "markdown",
102+
"source": [
103+
"## Exporting it to Excel\r\n",
104+
"\r\n",
105+
"If you wish to export the results to Excel for analysis, you can use the ImportExcel module and the code below. Again, you will need to update the Computer name, Windows Event Log names and time as before"
106+
],
107+
"metadata": {
108+
"azdata_cell_guid": "fbd43641-6b29-4ea7-9dd0-6e4da626b316"
109+
}
110+
},
111+
{
112+
"cell_type": "code",
113+
"source": [
114+
"$computerName = '' ## Add the computername here\r\n",
115+
"$issueDateTime = get-date('2020-07-31 21:30') ## Add the date and time you are interested in here in the format 'yyyy-MM-dd HH:mm'\r\n",
116+
"$windowMins = 30 ## The number of minutes before and after the issue date time to gather information for\r\n",
117+
"$lognames = 'system','application' ## The log names you wish to interogate\r\n",
118+
"$filepath = 'C:\\temp\\' # path to folder for the Excel workbook\r\n",
119+
"\r\n",
120+
"$winEventFilterHash = @{\r\n",
121+
" LogName = 'system','application'\r\n",
122+
" StartTime = $issueDateTime.AddMinutes(-($windowMins/2))\r\n",
123+
" EndTime = $issueDateTime.AddMinutes(($windowMins/2))\r\n",
124+
"}\r\n",
125+
"\r\n",
126+
"$issueDateTimeexcel = Get-Date($issueDateTime) -Format 'yyyy-MM-dd_HH_MM'\r\n",
127+
"\r\n",
128+
"$Worksheetname = $computerName.split('.')[0] + '_' + $issueDateTimeexcel\r\n",
129+
"$filepath = $filepath + $WorksheetName + '.xlsx'\r\n",
130+
"Get-WinEvent -FilterHashtable $winEventFilterHash -ComputerName $computerName | Select-Object LogName,\r\n",
131+
"ProviderName,\r\n",
132+
"TimeCreated,\r\n",
133+
"Id,\r\n",
134+
"LevelDisplayName,\r\n",
135+
"@{l='UserName';e={(New-Object System.Security.Principal.SecurityIdentifier($_.UserId)).Translate([System.Security.Principal.NTAccount])}}, \r\n",
136+
"Message | Export-Excel -Path $filepath -FreezeTopRow -AutoSize -AutoFilter -WorksheetName $Worksheetname -BoldTopRow \r\n",
137+
"\r\n",
138+
"Invoke-Item $filepath"
139+
],
140+
"metadata": {
141+
"azdata_cell_guid": "565e09c6-d9dd-4234-9b31-813cc2863e8e"
142+
},
143+
"outputs": [],
144+
"execution_count": null
145+
}
146+
]
147+
}

0 commit comments

Comments
 (0)