Eventlogs: Unterschied zwischen den Versionen

Aus Wiki-WebPerfect
Wechseln zu: Navigation, Suche
K
 
(13 dazwischenliegende Versionen des gleichen Benutzers werden nicht angezeigt)
Zeile 7: Zeile 7:
 
==== Beispiel ''Microsoft-Windows-Hyper-V-VMMS'' EventLogs ====
 
==== Beispiel ''Microsoft-Windows-Hyper-V-VMMS'' EventLogs ====
 
<source lang="powershell">Get-WinEvent -ComputerName <Hostname> -ProviderName 'Microsoft-Windows-Hyper-V-VMMS' -MaxEvents 10 | ft -Property TimeCreated, MachineName, Id, LevelDisplayName, Message</source>
 
<source lang="powershell">Get-WinEvent -ComputerName <Hostname> -ProviderName 'Microsoft-Windows-Hyper-V-VMMS' -MaxEvents 10 | ft -Property TimeCreated, MachineName, Id, LevelDisplayName, Message</source>
 +
 +
=== Eventlogs mit WMI abfragen ===
 +
<source lang="powershell"> Get-WmiObject Win32_NTLogEvent -Filter "LogFile='System' AND EventCode=7036" -ComputerName <Hostname> </source>
 +
  
  
 
== Beispiele / Tipps ==
 
== Beispiele / Tipps ==
 
=== Eventlogs auf bestimmte EventIDs durchsuchen ===
 
=== Eventlogs auf bestimmte EventIDs durchsuchen ===
<source lang="powershell"> Get-EventLog -LogName System -ComputerName FPPW7406 -InstanceId 5121 </source>
+
<source lang="powershell"> Get-EventLog -LogName System -ComputerName <Hostname> -InstanceId <EventID> </source>
 
oder
 
oder
 
<source lang="powershell"> Get-EventLog -LogName System -ComputerName <Hostname> | ? {$_.EventID -eq <EventID>} </source>
 
<source lang="powershell"> Get-EventLog -LogName System -ComputerName <Hostname> | ? {$_.EventID -eq <EventID>} </source>
Zeile 18: Zeile 22:
 
<source lang="powershell">Get-WinEvent -ComputerName <Hostname> -ProviderName 'Microsoft-Windows-Hyper-V-VMMS' | ? {$_.LevelDisplayName -eq "Error"} | ? {$_.TimeCreated -ge ((get-date).AddDays(-2))}</source>
 
<source lang="powershell">Get-WinEvent -ComputerName <Hostname> -ProviderName 'Microsoft-Windows-Hyper-V-VMMS' | ? {$_.LevelDisplayName -eq "Error"} | ? {$_.TimeCreated -ge ((get-date).AddDays(-2))}</source>
  
==== Eventlog mittels HashTable filtern ====
+
==== Eventlog mittels HashTable filtern (performanter) der letzten drei Tage ====
<source lang="powershell">Get-WinEvent -FilterHashTable @{LogName ="Microsoft-Windows-Hyper-V-VMMS-Admin"} | ? {$_.LevelDisplayName -eq "Error"} | ? {$_.TimeCreated -ge ((get-date).AddDays(-2))}</source>
+
<source lang="powershell">
 +
Get-WinEvent -ComputerName <Hostname> -FilterHashtable @{LogName = "Microsoft-Windows-Hyper-V-VMMS-Admin"; ID = 16000; StartTime = ((Get-Date).AddDays(-3)); EndTime = (Get-Date)}
 +
</source>
  
 
==== Eventlog-Eintrag erstellen (Dummy) ====
 
==== Eventlog-Eintrag erstellen (Dummy) ====
 
<source lang="powershell">Write-EventLog –LogName System –Source “Microsoft-Windows-FailoverClustering” –EntryType Information –EventID 5121 -message "Manual"</source>
 
<source lang="powershell">Write-EventLog –LogName System –Source “Microsoft-Windows-FailoverClustering” –EntryType Information –EventID 5121 -message "Manual"</source>
  
 +
==== Eventlog-Limit mit wevtutil erhöhen (Microsoft-Windows-Hyper-V-VMMS-Admin auf 100MB erhöhen) ====
 +
wevtutil sl /ms:104857600 /e:true Microsoft-Windows-Hyper-V-VMMS-Admin
 +
 +
==== Alle Eventlogs (inklusiv "Applications and Services Logs") ====
 +
<source lang="powershell">(Get-WinEvent -ListLog *).LogName | foreach {Get-WinEvent -LogName $_} </source>
 +
 +
==== Eventlog Provider Tasks "Informationen/Beschreibung" ====
 +
<source lang="powershell">(Get-WinEvent -ListProvider <Eventlogprovider-Name>).Tasks </source>
 +
 +
==== Hyper-V nach LiveMigrationen einer bestimmten VM durchsuchen ====
 +
<source lang="powershell">Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-FailoverClustering/Operational";ID=1641} -ComputerName <Hyper-V-Hostname> | ? {$_.Message -match "<VM-Name>"} </source>
  
 +
==== Eventlog mittels XPath filtern (Filter: System, EventID 1 in den letzten 24h (in ms))====
 +
<source lang="powershell">Get-WinEvent -LogName System -FilterXPath "*[System[EventID=1 and TimeCreated[timediff(@SystemTime) <= 86400000]]]"</source>
 +
*[https://blogs.technet.microsoft.com/heyscriptingguy/2014/06/06/understanding-xml-and-xpath/ More Information]
  
  

Aktuelle Version vom 11. Januar 2019, 11:30 Uhr

Standard EventLogs (Windows Logs)

Letze 10 Application EventLogs anzeigen

Get-EventLog -Newest 10 -LogName "Application"

Spezielle EventLogs (Application and Services Logs)

Beispiel Microsoft-Windows-Hyper-V-VMMS EventLogs

Get-WinEvent -ComputerName <Hostname> -ProviderName 'Microsoft-Windows-Hyper-V-VMMS' -MaxEvents 10 | ft -Property TimeCreated, MachineName, Id, LevelDisplayName, Message

Eventlogs mit WMI abfragen

 Get-WmiObject Win32_NTLogEvent -Filter "LogFile='System' AND EventCode=7036" -ComputerName <Hostname>


Beispiele / Tipps

Eventlogs auf bestimmte EventIDs durchsuchen

 Get-EventLog -LogName System -ComputerName <Hostname> -InstanceId <EventID>

oder

 Get-EventLog -LogName System -ComputerName <Hostname> | ? {$_.EventID -eq <EventID>}

Beispiel Microsoft-Windows-Hyper-V-VMMS EventLogs der letzten zwei Tage

Get-WinEvent -ComputerName <Hostname> -ProviderName 'Microsoft-Windows-Hyper-V-VMMS' | ? {$_.LevelDisplayName -eq "Error"} | ? {$_.TimeCreated -ge ((get-date).AddDays(-2))}

Eventlog mittels HashTable filtern (performanter) der letzten drei Tage

Get-WinEvent -ComputerName <Hostname> -FilterHashtable @{LogName = "Microsoft-Windows-Hyper-V-VMMS-Admin"; ID = 16000; StartTime = ((Get-Date).AddDays(-3)); EndTime = (Get-Date)}

Eventlog-Eintrag erstellen (Dummy)

Write-EventLog –LogName System –Source “Microsoft-Windows-FailoverClustering” –EntryType Information –EventID 5121 -message "Manual"

Eventlog-Limit mit wevtutil erhöhen (Microsoft-Windows-Hyper-V-VMMS-Admin auf 100MB erhöhen)

wevtutil sl /ms:104857600 /e:true Microsoft-Windows-Hyper-V-VMMS-Admin

Alle Eventlogs (inklusiv "Applications and Services Logs")

(Get-WinEvent -ListLog *).LogName | foreach {Get-WinEvent -LogName $_}

Eventlog Provider Tasks "Informationen/Beschreibung"

(Get-WinEvent -ListProvider <Eventlogprovider-Name>).Tasks

Hyper-V nach LiveMigrationen einer bestimmten VM durchsuchen

Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-FailoverClustering/Operational";ID=1641} -ComputerName <Hyper-V-Hostname> | ? {$_.Message -match "<VM-Name>"}

Eventlog mittels XPath filtern (Filter: System, EventID 1 in den letzten 24h (in ms))

Get-WinEvent -LogName System -FilterXPath "*[System[EventID=1 and TimeCreated[timediff(@SystemTime) <= 86400000]]]"