Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #___ ___ _____ ___
- #| _ \ _ \_ _/ __|
- #| _/ / | || (_ |
- #|_| |_|_\ |_| \___|
- # NETWORK MONITOR
- #-------------------
- #(c) 2014 Stephan Linke, Paessler AG
- <#
- .SYNOPSIS
- Reads the windows eventlog and filters for the specified events.
- .DESCRIPTION
- This custom sensor for PRTG will read the given EventLog file and search it
- for the defined events. It also allows to error if the last event found has a certain ID or
- Message.
- .PARAMETER ComputerName
- The computer whose event log you want to check
- .PARAMETER Channel
- The log name that is used by the application
- .PARAMETER ProviderName
- The application that you want to watch
- .PARAMETER EventID
- The event IDs you want to filter. Seperate multiple IDs with comma
- .PARAMETER WarningEvents
- The event IDs you want to raise a warning when found. Those IDs also have to be included in the event ids
- .PARAMETER ErrorEvents
- The event IDs you want to raise a error when found. Those IDs also have to be included in the event ids
- .Parameter Levels
- The Loglevels you want to include in the search
- .PARAMETER MaxAge
- The age of the Logfile in hours
- .Parameter KeyWords
- Only search log entries with these keywords
- .PARAMETER LimitEntries
- Maximum number of log entries to be checked (order is new -> old)
- .PARAMETER StateBasedOnLastID
- If this parameter is set, not the sheer number of events will decide if the sensor will go into error or warning state,
- but only the event id of the last entry found. This is useful for RAID controllers, etc.
- .PARAMETER StateBasedOnLastMessage
- If this parameter is set, not the sheer number of events will decide if the sensor will go into error or warning state,
- but only the message of the last entry found. This is useful if messages have the same event ID for errors and information events.
- .PARAMETER Username and Password
- The username and password that the script should use to create the credential object.
- Format -Username "domain\username" -Password 'yourpass'
- .OUTPUTS
- <number of entries found>:<entries> found in the event log. Last message: <last entry message>
- .EXAMPLE
- C:\PS> .\Get-Events.ps1 -ComputerName %host -Username "%windowsdomain\%windowsuser" -Password "%windowspassword" -ProviderName "Microsoft-Windows-Immersive-Shell" -Channel "Microsoft-Windows-TWinUI/Operational" -LimitEntries 1 -MaxAge 1 -EventID 1719 -Level 4
- .EXAMPLE
- C:\PS> .\Get-Events.ps1 -ComputerName %host -Username "%windowsdomain\%windowsuser" -Password "%windowspassword" -ProviderName "Microsoft-Windows-Immersive-Shell" -Channel "Microsoft-Windows-TWinUI/Operational" -LimitEntries 1 -MaxAge 1 -EventID 1719 -Level 4 -StateBasedOnLastEntry
- #>
- param(
- [string]$ComputerName = "localhost",
- [string[]]$Channel = @("Application"),
- [string[]]$ProviderName = @("Microsoft-Windows-User Profiles Service"),
- [int[]]$EventID = @(1530),
- [int[]]$WarningEvents = @(),
- [int[]]$ErrorEvents = @(),
- [string[]]$ErrorStrings = @(),
- [string[]]$WarningStrings = @(),
- [int[]]$Levels = @(4),
- [float]$MaxAge = 20,
- [int]$LimitEntries = 10,
- # fake credentials, in case we run at localhost.
- [string]$Username = '',
- [string]$Password = '',
- [switch]$AlwaysShowMessage,
- [switch]$StateBasedOnLastMessage,
- [switch]$StateBasedOnLastEventID
- )
- [System.Threading.Thread]::CurrentThread.CurrentCulture = New-Object "System.Globalization.CultureInfo" "en-US"
- $ExitCode = 0
- $Message = ""
- # This will create the credential
- # object that is used to get the events
- #######################################
- function createCredentials(){
- if((($env:COMPUTERNAME) -ne $ComputerName)){
- # Generate Credentials Object first
- $SecPasswd = ConvertTo-SecureString $Password -AsPlainText -Force
- $Credentials= New-Object System.Management.Automation.PSCredential ($Username, $secpasswd)
- return $Credentials
- }
- else{ return "false" }
- }
- # This will retrieve the event log entries
- # based on channel, provider and events ID.
- #######################################
- function readEventLog(){
- $Credentials = (createCredentials);
- $EventFilter = @{
- ProviderName=$ProviderName;
- LogName=$Channel;
- ID=$EventID;
- Level=$Levels;
- StartTime=(get-date).AddHours(-$MaxAge)
- }
- try{
- if($Credentials -ne "false"){ $Events = (Get-WinEvent -ComputerName $ComputerName -FilterHashTable $EventFilter -MaxEvents $LimitEntries -Credential $Credentials -EA silentlycontinue) }
- else{ $Events = (Get-WinEvent -ComputerName $ComputerName -FilterHashTable $EventFilter -MaxEvents $LimitEntries -EA silentlycontinue) }
- return $Events;
- }
- catch [Exception]{
- Write-Host "0:Can't find anything for $ProviderName in your $Channel eventlog. Please check Log name, Provider, Log ID, EventID, ComputerName and Credentials"
- #Write-Host $_.Exception.Message
- Exit 2;
- }
- }
- # This will evaluate the results from the above
- # function and return the sensor value
- #######################################
- function evaluateLogResults(){
- $Events = (readEventLog);
- $EventList = [System.Collections.ArrayList]$Events
- $Counter = $EventList.Count
- # Always show the last message when enabled
- if(($AlwaysShowMessage) -and ($Counter -ne 0)){
- $LastMessage = ($EventList[0].Message.Remove(150)+"[...]" -replace "`n|`r")
- $Message = "(Last entry: "+$LastMessage+")"
- }
- # Search for error and warning IDs
- if(($Counter -ne 0) -and (($StateBasedOnLastEventID)) -and (-not($StateBasedOnLastMessage))){
- switch ($EventList[0].Id){
- {$ErrorEvents -contains $EventList[0].Id}{ Write-Host $Counter":Critical event found: $($Message)"; $ExitCode = 2; return}
- {$WarningEvents -contains $EventList[0].Id}{ Write-Host $Counter":Warning event found: $($Message)"; $ExitCode = 1; return}
- }
- }
- # Search for messages that contain the error and warning strings
- elseif(($Counter -ne 0) -and ($StateBasedOnLastMessage)){
- foreach($String in $ErrorStrings){
- if($EventList[0].Message -match "($String)"){ Write-Host $Counter":Critical event found: $($Message)"; $ExitCode = 2; return; } }
- foreach($String in $WarningStrings){
- if($EventList[0].Message -match "($String)"){ Write-Host $Counter":Warning event found: $($Message)"; $ExitCode = 2; return; } }
- }
- # Search for messages that contain the error and warning strings and the messages
- elseif(($Counter -ne 0) -and (($StateBasedOnLastMessage) -and ($StateBasedOnLastID))){
- switch ($EventList[0].Id){
- {($ErrorEvents -contains $EventList[0].Id) -and ($EventList[0].Message -match $ErrorStrings)} { Write-Host $Counter":Critical event found: $($Message)"; $ExitCode = 1; return}
- {($WarningEvents -contains $EventList[0].Id) -and ($EventList[0].Message -match $WarningStrings)} { Write-Host $Counter":Warning event found: $($Message)"; $ExitCode = 2; return}
- }
- }
- switch ($Counter){
- {$Counter -eq 0}{ Write-Host $Counter"0:No log entries found"; $ExitCode = 0; return }
- {$Counter -eq 1}{ Write-Host $Counter"$Counter log entry found in the last $MaxAge hours $($Message)"; $ExitCode = 0; return; }
- {$Counter -gt 1}{ Write-Host $Counter":$Counter log entries found in the last $MaxAge hours $($Message)"; $ExitCode = 0; return; }
- }
- }
- # Action!
- evaluateLogResults;
- exit $ExitCode;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement