14 April 2016

Query Event Logs to a Central Log File

Recently, we have had sporadic issues with Outlook and needed to see who all was experiencing the problem. We knew it was logged in the event viewer logs. I decided to write a PowerShell script, with the help of Sapien Technology's PowerShell Studio, that would be able to be deployed to machines, query the event viewer logs, and then write the machine name to a centralized log file if it met the criteria. That is what this script will do. I wrote the script so that it can be used in any instance where the need arises to get a report of systems with a specific event viewer log.

To use the script, the following parameters need to be populated:
  • -LogFileLocation -- the location where the centralized log file is to be written to
  • -LogFileName -- the name of the centralized log file
  • -EventLogName -- the name of the event viewer log for the script to query
  • -LogMessage -- the specific message you are looking for in the logs
All that needs to be done to use this is to deploy it through SCCM as a package so that it runs one time. You maybe wondering what happens if multiple systems try to write to the log file at the same time. I included a do-while/try-catch loop in it so that as long as it cannot write to the file it will continue trying until the file is free for it to write its entry.

You can download the script from here.

1:  <#  
2:       .SYNOPSIS  
3:            Query Event Viewer Logs  
5:       .DESCRIPTION  
6:            This script will query the event viewer logs and write the computer name to a designated, centralized log file, thereby indicating the system met the query specifications.  
8:       .PARAMETER LogFileLocation  
9:            The network location of where the log file resides.  
11:       .PARAMETER LogFileName  
12:            The name of the centralized log file  
14:       .PARAMETER EventLogName  
15:            Name of the event viewer log  
17:       .PARAMETER LogMessage  
18:            The message to filter the log files for.  
20:       .NOTES  
21:            ===========================================================================  
22:            Created with:     SAPIEN Technologies, Inc., PowerShell Studio 2016 v5.2.119  
23:            Created on:       4/13/2016 1:54 PM  
24:            Created by:       Mick Pletcher  
25:            Organization:  
26:            Filename:         OutlookLogs.ps1  
27:            ===========================================================================  
28:  #>  
29:  [CmdletBinding()]  
30:  param  
31:  (  
32:            [string]$LogFileLocation,  
33:            [string]$LogFileName,  
34:            [string]$EventLogName,  
35:            [string]$LogMessage  
36:  )  
38:  #Declare Variable  
39:  Set-Variable -Name Logs -Value $null -Scope Local -Force  
41:  cls  
42:  $ReportFile = $LogFileLocation + $LogFileName  
43:  $LogMessage = [char]42 + $LogMessage + [char]42  
44:  $Logs = Get-EventLog -LogName $EventLogName | where { $_.Message -like $LogMessage }  
45:  If ($Logs -ne $null) {  
46:       $Logs  
47:       Do {  
48:            Try {  
49:                 $Written = $true  
50:                 Out-File -FilePath $ReportFile -InputObject $env:COMPUTERNAME -Append -Encoding UTF8 -ErrorAction SilentlyContinue  
51:            } Catch {  
52:                 Start-Sleep -Seconds 1  
53:                 $Written = $false  
54:            }  
55:       } while ($Written -eq $false)  
56:  }  


  1. Any reason not to just use Eventlog Forwarding and have the specific event forwarded to a central eventlog? It also takes out the issue with not having all computers online, while running the script.

    1. That could be done, but personally, I wanted a centralized log file that only contained a computer name of that specific event was logged.