API tools faq
paste
Advertisement
Guest User

[PRTG] Windows Eventlog Monitor

a guest
Jul 7th, 2015
970
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 7.33 KB | None | 0 0
raw download clone embed print report
  1. #___ ___ _____ ___
  2. #| _ \ _ \_   _/ __|
  3. #|  _/   / | || (_ |
  4. #|_| |_|_\ |_| \___|
  5. #    NETWORK MONITOR
  6. #-------------------
  7. #(c) 2014 Stephan Linke, Paessler AG
  8. <#
  9.    .SYNOPSIS
  10.    Reads the windows eventlog and filters for the specified events.
  11.  
  12.    .DESCRIPTION
  13.    This custom sensor for PRTG will read the given EventLog file and search it
  14.    for the defined events. It also allows to error if the last event found has a certain ID or
  15.    Message.
  16.  
  17.    .PARAMETER ComputerName
  18.    The computer whose event log you want to check
  19.      
  20.    .PARAMETER Channel
  21.    The log name that is used by the application  
  22.    
  23.    .PARAMETER ProviderName
  24.    The application that you want to watch
  25.    
  26.    .PARAMETER EventID
  27.    The event IDs you want to filter. Seperate multiple IDs with comma
  28.  
  29.    .PARAMETER WarningEvents
  30.    The event IDs you want to raise a warning when found. Those IDs also have to be included in the event ids
  31.  
  32.    .PARAMETER ErrorEvents
  33.    The event IDs you want to raise a error when found. Those IDs also have to be included in the event ids
  34.  
  35.    .Parameter Levels
  36.    The Loglevels you want to include in the search
  37.  
  38.    .PARAMETER MaxAge
  39.    The age of the Logfile in hours
  40.    
  41.    .Parameter KeyWords
  42.    Only search log entries with these keywords
  43.    
  44.    .PARAMETER LimitEntries
  45.    Maximum number of log entries to be checked (order is new -> old)
  46.  
  47.    .PARAMETER StateBasedOnLastID
  48.    If this parameter is set, not the sheer number of events will decide if the sensor will go into error or warning state,
  49.    but only the event id of the last entry found. This is useful for RAID controllers, etc.
  50.  
  51.    .PARAMETER StateBasedOnLastMessage
  52.    If this parameter is set, not the sheer number of events will decide if the sensor will go into error or warning state,
  53.    but only the message of the last entry found. This is useful if messages have the same event ID for errors and information events.
  54.    
  55.    .PARAMETER Username and Password
  56.    The username and password that the script should use to create the credential object.
  57.    Format -Username "domain\username" -Password 'yourpass'
  58.  
  59.    .OUTPUTS
  60.    <number of entries found>:<entries> found in the event log. Last message: <last entry message>
  61.  
  62.    .EXAMPLE
  63.    C:\PS> .\Get-Events.ps1  -ComputerName %host -Username "%windowsdomain\%windowsuser" -Password "%windowspassword" -ProviderName "Microsoft-Windows-Immersive-Shell" -Channel "Microsoft-Windows-TWinUI/Operational" -LimitEntries 1 -MaxAge 1 -EventID 1719 -Level 4
  64.  
  65.    .EXAMPLE
  66.    C:\PS> .\Get-Events.ps1  -ComputerName %host -Username "%windowsdomain\%windowsuser" -Password "%windowspassword" -ProviderName "Microsoft-Windows-Immersive-Shell" -Channel "Microsoft-Windows-TWinUI/Operational" -LimitEntries 1 -MaxAge 1 -EventID 1719 -Level 4 -StateBasedOnLastEntry
  67. #>
  68. param(
  69.     [string]$ComputerName   = "localhost",
  70.     [string[]]$Channel      = @("Application"),
  71.     [string[]]$ProviderName = @("Microsoft-Windows-User Profiles Service"),
  72.     [int[]]$EventID         = @(1530),
  73.     [int[]]$WarningEvents   = @(),
  74.     [int[]]$ErrorEvents     = @(),
  75.     [string[]]$ErrorStrings = @(),
  76.     [string[]]$WarningStrings = @(),
  77.     [int[]]$Levels          = @(4),
  78.     [float]$MaxAge          = 20,
  79.     [int]$LimitEntries      = 10,
  80.     # fake credentials, in case we run at localhost.
  81.     [string]$Username       = '',
  82.     [string]$Password       = '',
  83.     [switch]$AlwaysShowMessage,
  84.     [switch]$StateBasedOnLastMessage,
  85.     [switch]$StateBasedOnLastEventID
  86. )
  87. [System.Threading.Thread]::CurrentThread.CurrentCulture = New-Object "System.Globalization.CultureInfo" "en-US"
  88. $ExitCode = 0
  89. $Message = ""
  90.  
  91. # This will create the credential
  92. # object that is used to get the events
  93. #######################################
  94. function createCredentials(){
  95.     if((($env:COMPUTERNAME) -ne $ComputerName)){
  96.         # Generate Credentials Object first
  97.         $SecPasswd  = ConvertTo-SecureString $Password -AsPlainText -Force
  98.         $Credentials= New-Object System.Management.Automation.PSCredential ($Username, $secpasswd)
  99.         return $Credentials
  100.     }
  101.     else{ return "false" }
  102. }  
  103.  
  104. # This will retrieve the event log entries
  105. # based on channel, provider and events ID.
  106. #######################################
  107. function readEventLog(){
  108.  
  109.     $Credentials = (createCredentials);
  110.  
  111.     $EventFilter = @{
  112.         ProviderName=$ProviderName;
  113.         LogName=$Channel;
  114.         ID=$EventID;
  115.         Level=$Levels;
  116.         StartTime=(get-date).AddHours(-$MaxAge)
  117.     }
  118.  
  119.     try{
  120.         if($Credentials -ne "false"){ $Events = (Get-WinEvent -ComputerName $ComputerName -FilterHashTable $EventFilter -MaxEvents $LimitEntries -Credential $Credentials -EA silentlycontinue) }
  121.         else{ $Events = (Get-WinEvent -ComputerName $ComputerName -FilterHashTable $EventFilter -MaxEvents $LimitEntries -EA silentlycontinue) }
  122.        
  123.         return $Events;
  124.     }
  125.     catch [Exception]{
  126.         Write-Host "0:Can't find anything for $ProviderName in your $Channel eventlog. Please check Log name, Provider, Log ID, EventID, ComputerName and Credentials"
  127.         #Write-Host $_.Exception.Message
  128.         Exit 2;
  129.     }
  130. }
  131.  
  132. # This will evaluate the results from the above
  133. # function and return the sensor value
  134. #######################################
  135. function evaluateLogResults(){
  136.        
  137.         $Events = (readEventLog);
  138.         $EventList = [System.Collections.ArrayList]$Events
  139.         $Counter = $EventList.Count
  140.        
  141.         # Always show the last message when enabled
  142.         if(($AlwaysShowMessage) -and ($Counter -ne 0)){
  143.         $LastMessage = ($EventList[0].Message.Remove(150)+"[...]" -replace "`n|`r")
  144.         $Message = "(Last entry: "+$LastMessage+")"
  145.         }
  146.                
  147.         # Search for error and warning IDs
  148.         if(($Counter -ne 0) -and (($StateBasedOnLastEventID)) -and (-not($StateBasedOnLastMessage))){
  149.             switch ($EventList[0].Id){
  150.                 {$ErrorEvents -contains $EventList[0].Id}{ Write-Host $Counter":Critical event found: $($Message)"; $ExitCode = 2; return}
  151.                 {$WarningEvents -contains $EventList[0].Id}{ Write-Host $Counter":Warning event found: $($Message)"; $ExitCode = 1; return}
  152.             }
  153.         }
  154.        
  155.         # Search for messages that contain the error and warning strings
  156.         elseif(($Counter -ne 0) -and ($StateBasedOnLastMessage)){
  157.         foreach($String in $ErrorStrings){
  158.                     if($EventList[0].Message -match "($String)"){ Write-Host $Counter":Critical event found: $($Message)"; $ExitCode = 2; return; } }
  159.                 foreach($String in $WarningStrings){
  160.                     if($EventList[0].Message -match "($String)"){ Write-Host $Counter":Warning event found: $($Message)"; $ExitCode = 2; return; } }
  161.         }
  162.    
  163.         # Search for messages that contain the error and warning strings and the messages
  164.         elseif(($Counter -ne 0) -and (($StateBasedOnLastMessage) -and ($StateBasedOnLastID))){
  165.         switch ($EventList[0].Id){
  166.                     {($ErrorEvents -contains $EventList[0].Id) -and ($EventList[0].Message -match $ErrorStrings)} { Write-Host $Counter":Critical event found: $($Message)"; $ExitCode = 1; return}
  167.                     {($WarningEvents -contains $EventList[0].Id) -and ($EventList[0].Message -match $WarningStrings)} { Write-Host $Counter":Warning event found: $($Message)"; $ExitCode = 2; return}
  168.                 }
  169.         }
  170.  
  171.         switch ($Counter){
  172.                 {$Counter -eq 0}{ Write-Host $Counter"0:No log entries found"; $ExitCode = 0; return }
  173.                 {$Counter -eq 1}{ Write-Host $Counter"$Counter log entry found in the last $MaxAge hours $($Message)"; $ExitCode = 0; return; }
  174.                 {$Counter -gt 1}{ Write-Host $Counter":$Counter log entries found in the last $MaxAge hours $($Message)"; $ExitCode = 0; return; }
  175.             }
  176.            
  177. }
  178.  
  179. # Action!
  180. evaluateLogResults;
  181. exit $ExitCode;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!