Today, we have powerful tools to take care of our logs. There are plenty of solutions to collect and process them in multiple ways to make them more valuable. Of course, I have one of those tools to process my logs. However, I’m still often using the old good “tail -f | grep” combination to track interesting events live on a UNIX system. This is very efficient to detect specific events while debugging an issue.
Every operating systems or applications should generate useful logs (in a perfect world). Microsoft OSes use an internal format to write events. They can be reviewed using the well-known EventViewer tool. It can search for events, browse events from remote computers on the same domain but… it is a graphical tool and it does not allow a live tracking of events (pressing F5 to refresh the list of event is just too boring). Of course, they are alternative solutions provided by 3rd party developers but I did not find one that matched my requirements: console based, auto-update and filters (by ID or regular expression). I needed such a tool for a specific project so I wrote mine in PowerShell. It was a good exercice for me as I don’t have a lot of experience with the Microsoft automation tool.
Honestly, this is a great framework to automate boring tasks in a Windows environment. Like Perl or Python libraties, PowerShell comes with plenty of “Cmdlets” which add extra commands to perform specific tasks. Guess what? There is a Cmdlet to access the Windows eventlog: Get-Eventlog:
PS C:\Documents and Settings\xavier\Desktop> help get-eventlog NAME Get-EventLog SYNOPSIS Gets information about local event logs or the entries stored in those event logs. SYNTAX Get-EventLog [-logName] <string> [-newest <int>] [<CommonParameters>] Get-EventLog [-list] [-asString] [<CommonParameters>] DETAILED DESCRIPTION Gets information about local event logs or the entries stored in those event logs. RELATED LINKS REMARKS For more information, type: "get-help Get-EventLog -detailed". For technical information, type: "get-help Get-EventLog -full".
[Note: The version of PowerShell used here was an old one. With the latest versions, more parameters have been added but I needed a script compatible with all versions of PowerShell.]
My script “tail.ps1” will just work like a “tail -f | grep“. It will display live new events corresponding to different criterias. It is called with the following syntax:
PS C:\Documents and Settings\xavier\Desktop> ./tail.ps1 -help Usage: tail.ps1 [-log=<eventlog>,<eventlog>,...] [-eventid=<id>,<id>,...] [-pattern=<regex>] [-details] [-verbose] [-help]
You can specify:
- the log(s) to be tracked (by default, only “Security” events)
- the event ID(s) to be tracked (exemple: 4625)
- a regular expression to match the event message
Here is an example of usage. The script will track any change of the WMI service status:
PS C:\> ./tail.ps1 -log system -eventid 7036 -pattern WMI Index Time Type Source EventID Message ----- ---- ---- ------ ------- ------- 27253 sept. 17 2... Info Service Control M... 7036 The WMI Performance Adapter service entered the stopped state. 27255 sept. 17 2... Info Service Control M... 7036 The WMI Performance Adapter service entered the running state.
The script is available on github.com. It is provided “as is”. Just feel free to use it and enhance it.