Hello,

I am working on a little script which is collecting remotly the exchange related error events from the application log from the last 24 hours, there are many ignorable events what I would like to exclude from the report, here it is:

$date = get-date
$yesterday = $date.adddays(-1).toshortdatestring()
$IgnoreableEvents = (2,3,4,8,16,49,290,512,513,786,788,794,1001,1013,1016,1022,1025,1029,1077,1078,1084,1085,1100,1101,1106,1111,1123,1173,1194,1202,1211,1233,1233,2006,2028,2035,2035,3005,4098,4099,4879,5008,7200,8195,8196,8206,8217,8230,8260,8263,8507,8528,9152,9318,9320,9323,9325,9327,9524,9548,9551,9554,9562,9582,9582,9646,9660,9665,9665,9671,9877,12003,21207,57476)

Get-WmiObject win32_ntlogevent -ComputerName "servername" -filter "logfile = 'application' and type <> 'information' and (sourcename like '%exch%') and (timegenerated >= '$yesterday')" | Group-Object eventcode | select count,name | ft -auto

My first question is how can I achive this with the minimum efforts? I think there are a faster way to do it as list all events with logical OR statement.
My next problem is this script is running about 7-8minutes for one server, is there any way to boost it up?

Thank you for your help!



Chris Padilla wrote:

get remote eventlog with servers.txt as input
24-Apr-09

I'd like to use servers.txt as my input. I know there is something like
get-file servers.txt |

and then use the data from that but, I am not sure how.

Sorry for being such a noob.

Previous Posts In This Thread:

On Wednesday, February 14, 2007 8:06 AM
Sanders wrote:

get eventlog remote and newest
Hi,
I've got a problem with collecting events from remote computers via
powershell.
If i try
get-eventlog -log "Application" -newest 3
it works fast, but no machine option available

On the other hand, if i try this:
$logs=[System.Diagnostics.EventLog]::GetEventLogs("machinename")
Foreach ($log in $logs) {
$fail = $log.Entries | where... 'in the last 30mins for example'
}
I've got the data, but slow as hell and the cpu is on about 50% for 2
minutes
Is there any way to implement the 'newest' switch to the second code?

thanks

On Wednesday, February 14, 2007 8:43 AM
/\\/\\o\\/\\/ [MVP] wrote:

Re: get eventlog remote and newest
$logs=[System.Diagnostics.EventLog]::GetEventlogs("machinename")
$app = $logs |? {$_.log -eq 'Application'}
$app.Entries[1..3]

Greetings /\/\o\/\/

On Wednesday, February 14, 2007 8:49 AM
/\\/\\o\\/\\/ [MVP] wrote:

Re: get eventlog remote and newest
Oops that was Oldest ;-)

for newest :

$app.Entries[($app.Entries.count -1)..($app.Entries.count -3)]

Greetings /\/\o\/\/

On Wednesday, February 14, 2007 8:56 AM
Brandon Shell wrote:

if you want just the last 10 you doforeach($log in $logs){$log.
if you want just the last 10 you do
foreach($log in $logs){$log.entries | Select-Object -Last 10

but I dont think that is gonna speed it up at all... It may still have to
parse the whole thing.

--
Brandon Shell
---------------
Stop by my blog some time
http://www.bsonposh.com/
Try the "Search of Powershell Blogs"
--------------------------------------
"Sanders" <sanders@newsgroup> wrote in message
news:1171458419.457564.195960@newsgroup

On Wednesday, February 14, 2007 10:09 AM
Keith Hill wrote:

Re: get eventlog remote and newest
Or slightly easier:

$app.Entries[-3..-1]

--
Keith

On Thursday, February 15, 2007 4:59 AM
Sanders wrote:

Re: get eventlog remote and newest
On Feb 14, 2:49 pm, "/\\/\\o\\/\\/ [MVP]" <mow...@newsgroup>
wrote:

Wow, Thank you /\/\o\/\/!

It works just fine, and fast as lightning.

The $app.Entries[-3..-1] didn't worked for me

The
foreach($log in $logs){$log.entries | Select-Object -Last 10
worked, but as suggested, slow, like my original version.

Thanks for all the replies!

On Thursday, February 15, 2007 10:36 PM
Keith Hill wrote:

Re: get eventlog remote and newest
Curious, this works when using Get-EventLog:

$app = Get-EventLog -LogName Application
$app[-3..-1]

--
Keith

On Friday, April 24, 2009 6:13 PM
Chris Padilla wrote:

get remote eventlog with servers.txt as input
I'd like to use servers.txt as my input. I know there is something like
get-file servers.txt |

and then use the data from that but, I am not sure how.



Sorry for being such a noob.


Submitted via EggHeadCafe - Software Developer Portal of Choice
BizTalk Custom Pipeline for Splitting Messages
http://www.eggheadcafe.com/tutorials...ipeline-f.aspx

I've not looked at this in detail.

Retrieving remote event logs is a slow process.

Do you have PowerShell v2 available? Get-EventLog has a new -After
parameter that may speed up the retrieval of the logs in the last 24 hours.

Now, in contrast, you have an exclusion list that you may only be able to
use with Get-WmiObject's -Filter parameter.

OK, so I've not given you a whole lot of useful information, but you do have
an interesting case where one may have to try a few different things to see
which method may be the quickest. I may not be able to help you myself
until next week.

Marco

"Imre Mihaly" wrote in message news:20104615252mihaly.imre@newsgroup

> Hello,
>
> I am working on a little script which is collecting remotly the exchange
> related error events from the application log from the last 24 hours,
> there are many ignorable events what I would like to exclude from the
> report, here it is:
>
> $date = get-date
> $yesterday = $date.adddays(-1).toshortdatestring()
> $IgnoreableEvents =
> (2,3,4,8,16,49,290,512,513,786,788,794,1001,1013,1016,1022,1025,1029,1077,1078,1084,1085,1100,1101,1106,1111,1123,1173,1194,1202,1211,1233,1233,2006,2028,2035,2035,3005,4098,4099,4879,5008,7200,8195,8196,8206,8217,8230,8260,8263,8507,8528,9152,9318,9320,9323,9325,9327,9524,9548,9551,9554,9562,9582,9582,9646,9660,9665,9665,9671,9877,12003,21207,57476)
>
> Get-WmiObject win32_ntlogevent -ComputerName "servername" -filter "logfile
> = 'application' and type <> 'information' and (sourcename like '%exch%')
> and (timegenerated >= '$yesterday')" | Group-Object eventcode | select
> count,name | ft -auto
>
> My first question is how can I achive this with the minimum efforts? I
> think there are a faster way to do it as list all events with logical OR
> statement.
> My next problem is this script is running about 7-8minutes for one server,
> is there any way to boost it up?
>
> Thank you for your help!
>
>
>
> Chris Padilla wrote:
>
> get remote eventlog with servers.txt as input
> 24-Apr-09
>
> I'd like to use servers.txt as my input. I know there is something like
> get-file servers.txt |
>
> and then use the data from that but, I am not sure how.
>
> Sorry for being such a noob.
>
> Previous Posts In This Thread:
>
> On Wednesday, February 14, 2007 8:06 AM
> Sanders wrote:
>
> get eventlog remote and newest
> Hi,
> I've got a problem with collecting events from remote computers via
> powershell.
> If i try
> get-eventlog -log "Application" -newest 3
> it works fast, but no machine option available
>
> On the other hand, if i try this:
> $logs=[System.Diagnostics.EventLog]::GetEventLogs("machinename")
> Foreach ($log in $logs) {
> $fail = $log.Entries | where... 'in the last 30mins for example'
> }
> I've got the data, but slow as hell and the cpu is on about 50% for 2
> minutes
> Is there any way to implement the 'newest' switch to the second code?
>
> thanks
>
> On Wednesday, February 14, 2007 8:43 AM
> /\\/\\o\\/\\/ [MVP] wrote:
>
> Re: get eventlog remote and newest
> $logs=[System.Diagnostics.EventLog]::GetEventlogs("machinename")
> $app = $logs |? {$_.log -eq 'Application'}
> $app.Entries[1..3]
>
> Greetings /\/\o\/\/
>
> On Wednesday, February 14, 2007 8:49 AM
> /\\/\\o\\/\\/ [MVP] wrote:
>
> Re: get eventlog remote and newest
> Oops that was Oldest ;-)
>
> for newest :
>
> $app.Entries[($app.Entries.count -1)..($app.Entries.count -3)]
>
> Greetings /\/\o\/\/
>
> On Wednesday, February 14, 2007 8:56 AM
> Brandon Shell wrote:
>
> if you want just the last 10 you doforeach($log in $logs){$log.
> if you want just the last 10 you do
> foreach($log in $logs){$log.entries | Select-Object -Last 10
>
> but I dont think that is gonna speed it up at all... It may still have to
> parse the whole thing.
>
> --
> Brandon Shell
> ---------------
> Stop by my blog some time
> http://www.bsonposh.com/
> Try the "Search of Powershell Blogs"
> --------------------------------------
> "Sanders" <sanders@newsgroup> wrote in message
> news:1171458419.457564.195960@newsgroup
>
> On Wednesday, February 14, 2007 10:09 AM
> Keith Hill wrote:
>
> Re: get eventlog remote and newest
> Or slightly easier:
>
> $app.Entries[-3..-1]
>
> --
> Keith
>
> On Thursday, February 15, 2007 4:59 AM
> Sanders wrote:
>
> Re: get eventlog remote and newest
> On Feb 14, 2:49 pm, "/\\/\\o\\/\\/ [MVP]" <mow...@newsgroup>
> wrote:
>
> Wow, Thank you /\/\o\/\/!
>
> It works just fine, and fast as lightning.
>
> The $app.Entries[-3..-1] didn't worked for me
>
> The
> foreach($log in $logs){$log.entries | Select-Object -Last 10
> worked, but as suggested, slow, like my original version.
>
> Thanks for all the replies!
>
> On Thursday, February 15, 2007 10:36 PM
> Keith Hill wrote:
>
> Re: get eventlog remote and newest
> Curious, this works when using Get-EventLog:
>
> $app = Get-EventLog -LogName Application
> $app[-3..-1]
>
> --
> Keith
>
> On Friday, April 24, 2009 6:13 PM
> Chris Padilla wrote:
>
> get remote eventlog with servers.txt as input
> I'd like to use servers.txt as my input. I know there is something like
> get-file servers.txt |
>
> and then use the data from that but, I am not sure how.
>
> Sorry for being such a noob.
>
>
> Submitted via EggHeadCafe - Software Developer Portal of Choice
> BizTalk Custom Pipeline for Splitting Messages
> http://www.eggheadcafe.com/tutorials...ipeline-f.aspx