Event Viewer BSA Solution with PowerShell

Version 2
    Share:|

    As a BLAdmin I am constantly asked "Why can't I view the Event Logs of Windows servers in BladeLogic?"

     

    I was working on a solution for another task and then a proverbial lightbulb dropped on my head! I should use powershell to view the Event Logs rather than the clunky LogParser version (https://communities.bmc.com/communities/docs/DOC-19788)

     

    Enough chit chat, heres the meat

     

    Requirements & Notes:

    • This was developed for BSA 8.1.03
    • Works with Powershell V2+
    • Batch file will increase the size of the command prompt Column and Row buffers (this prevents the text being cutoff in the column view)
    • There seems to be a limit to column chars in the RCP client (some lines will have their text cut from view, but if line is copied to clipboard and pasted to notepad entire text can be seen. researching a solution for this)
    • The replace statements help to keep all text on one line (may require further additions if you see anomalies)
    • This can be reproduced for additional Event Logs

     

    Upload the following files in a depot folder (EventViews)

    application_ev.ps1

     

     

    #EventViews - Show the 2000 most recent events from the Application Event Log

    #richard.mcleod@gmail.com
    #2013-04-01

     

    Write-Output "TimeGenerated, EventID, EntryType, Source, Message, UserName"

     

    $events = get-eventlog application -newest 2000 | select-object EventID, EntryType, TimeGenerated, Source, Message, UserName

    $events | ForEach-Object {

    $evtID = $_.EventID

    $evtET = $_.EntryType

    $evtTG = $_.TimeGenerated

    $evtSRC = $_.Source

    $evtMSG = $_.Message -replace "`r`n",""`

    -replace "`n"," "`

    -replace "`t"," "`

    -replace "`v"," "`

    -replace ",","."

    $evtUSR = $_.UserName

    Write-Output "$evtTG,$evtID,$evtET,$evtSRC,$evtMSG$,$evtUSR"

    }

    system_ev.ps1

     

     

     

    #EventViews - Show the 2000 most recent events from the System Event Log

    #richard.mcleod@gmail.com

    #2013-04-01

     

    Write-Output "TimeGenerated, EventID, EntryType, Source, Message, UserName"

     

    $events = get-eventlog system -newest 2000 | select-object EventID, EntryType, TimeGenerated, Source, Message, UserName

    $events | ForEach-Object {

    $evtID = $_.EventID

    $evtET = $_.EntryType

    $evtTG = $_.TimeGenerated

    $evtSRC = $_.Source

    $evtMSG = $_.Message -replace "`r`n",""`

    -replace "`n"," "`

    -replace "`t"," "`

    -replace "`v"," "`

    -replace ",","."

    $evtUSR = $_.UserName

    Write-Output "$evtTG,$evtID,$evtET,$evtSRC,$evtMSG$,$evtUSR"

    }

    security_ev.ps1

     

     

    #EventViews - Show the 2000 most recent events from the Security Event Log

    #richard.mcleod@gmail.com

    #2013-04-01

    Write-Output "TimeGenerated, EventID, EntryType, Source, Message, UserName"

     

    $events = get-eventlog security -newest 2000 | select-object EventID, EntryType, TimeGenerated, Source, Message, UserName

    $events | ForEach-Object {

    $evtID = $_.EventID

    $evtET = $_.EntryType

    $evtTG = $_.TimeGenerated

    $evtSRC = $_.Source

    $evtMSG = $_.Message -replace "`r`n",""`

    -replace "`n"," "`

    -replace "`t"," "`

    -replace "`v"," "`

    -replace ",","."

    $evtUSR = $_.UserName

    Write-Output "$evtTG,$evtID,$evtET,$evtSRC,$evtMSG$,$evtUSR"

    }

    runpowershell.bat

     

    @echo off

    mode con: cols=2600 lines=2600

    powershell -inputformat none "&'%1'"

     

    Deploy these files as a BLPackage to your target Windows servers, then create the following Extended Objects

     

    Name: EventViews: Application

    Description: Show the 2000 most recent events from the Application Event Log

    Command/Script:

     

    "\path\to\the\runpowershell.bat" \path\to\the\\application_ev.ps1

    Choose Remote Execution

    Grammar File: CSV File Grammar

     

    -

     

    Name: EventViews: System

    Description: Show the 2000 most recent events from the System Event Log

    Command/Script:

     

    "\path\to\the\runpowershell.bat" \path\to\the\\system_ev.ps1

    Choose Remote Execution

    Grammar File: CSV File Grammar

     

    -

     

    Name: EventViews: Security

    Description: Show the 2000 most recent events from the Security Event Log

    Command/Script:

     

    "\path\to\the\runpowershell.bat" \path\to\the\\security_ev.ps1

    Choose Remote Execution

    Grammar File: CSV File Grammar

     

    -

     

    After the Extended Objects are created and permissioned, you should be able to see events by live browsing a server, expanding extended objects and choosing one of the above EO's that was created. Here is a sample output

     

    Capture.JPG