I have a requirement to export Windows Event logs to CSV from our production environment periodically.
I have a simple XML Config file containing a list of machines I need the events from, and a list of Event Ids that I need to retrieve.
From here I'm looping through each machine name in turn, and then each event Id to retrieve the logs and then export to CSV. I'd like one CSV per machine per execution.
Once I've worked out all my variables the PS Command is quite simple to retrieve the log for one Event Id
foreach ($machine in $config.Configuration.Machines.Machine)
{
$csvname=$outputlocation + $machine.Value + "_" + $datestring + ".csv"
foreach ($eventid in $config.Configuration.EventIds.EventId)
{
Get-WinEvent -ComputerName $machine.Value -ErrorAction SilentlyContinue -FilterHashTable #{Logname='Security';ID=$eventid.Value} | where {$_.TimeCreated -gt $lastexecutiondate} | export-csv -NoClobber -append $csvname
}
}
Execpt I'm unable to append to a CSV each time, PS 2.0 apparently does not support this. I've tried extracting all Event Ids at once but this seems to be a bit long winded and may now allow use of a config file, but I'm fairly new to PowerShell so I haven't had much luck.
I also need to specify multiple LogNames (System, Security and Application), and would prefer to run one statement as opposed to the same statement 3 times and appe but I'm unsure of how to do this.
Unfortunately at this point Google has me running in circles.
The following is something I culled together to allow me to export the prior 24 hours of events for select event logs - I'm going to create a scheduled task out of it so it pulls a daily.
Hope this helps someone else...
$eventLogNames = "Application", "Security", "System", "Windows PowerShell"
$startDate = Get-Date
$startDate = $startDate.addDays(-1).addMinutes(-15)
function GetMilliseconds($date)
{
$ts = New-TimeSpan -Start $date -End (Get-Date)
[math]::Round($ts.TotalMilliseconds)
}
$serverName = get-content env:computername
$serverIP = gwmi Win32_NetworkAdapterConfiguration |
Where { $_.IPAddress } | # filter the objects where an address actually exists
Select -Expand IPAddress | # retrieve only the property *value*
Where { $_ -notlike '*:*' }
$fileNameDate = Get-Date -format yyyyMMddhhmm
$endDate = Get-Date
$startTime = GetMilliseconds($startDate)
$endTime = GetMilliseconds($endDate)
foreach ($eventLogName in $eventLogNames)
{
Write-Host "Processing Log: " $eventLogName
<# - Remove comment to create csv version of log files
$csvFile = $fileNameDate + "_" + $serverIP +"_" + $eventLogName + ".csv"
Write-Host "Creating CSV Log: " $csvFile
Get-EventLog -LogName $eventLogName -ComputerName $serverName -After $startDate -ErrorAction SilentlyContinue | Sort MachineName, TimeWritten | Select MachineName, Source, TimeWritten, EventID, EntryType, Message | Export-CSV $csvFile #ConvertTo-CSV #Format-Table -Wrap -Property Source, TimeWritten, EventID, EntryType, Message -Autosize -NoTypeInformation
#>
$evtxFile = $fileNameDate + "_" + $serverIP + "_" + $eventLogName + ".evtx"
Write-Host "Creating EVTX Log: " $evtxFile
wevtutil epl $eventLogName $evtxFile /q:"*[System[TimeCreated[timediff(#SystemTime) >= $endTime] and TimeCreated[timediff(#SystemTime) <= $startTime]]]"
}
Why do I get Failed to export log Security. The specified query is invalid. I get this for each type of event log (system, application etc). This happens only to evtx export. I get the csv file tho`....
Related
I've checked code and examples from identical questions on this site, but I'm baffled, because I'm utilizing nearly the exact same code from Get-ADUser with display name as a value and it just pulls empty results for me. I don't know how to continue a conversation on an existing question, so I figured I had to make my own.
Here is what I have:
import-module activedirectory
$csv = Get-Content users.csv
foreach ($user in $csv) {
$user = $user.trim()
write-host $user #A line for testing to show me what name is being analyzed
$samName = Get-ADUser -Filter{displayName -like "$user*"} | select samaccountname
write-host $samName
}
cmd /c pause | out-null
The output I get is:
John Doe
Jane Doe
Billy Ray
But if I change
$samName = Get-ADUser -Filter{displayName -like "$user*"} | select samaccountname
to:
$samName = Get-ADUser -Filter{displayName -like "John Doe*"} | select samaccountname
It will correctly return John Doe's samaccountname.
We are working on TFS databases (TFS_Warehouse, TFS_FabrikamFibreCollection) to create some report related to TFS activities. We need to generate reports based on Team Name.
TFS maintained
following hierarchies for projects:
ProjectCollection
Project
Team
We are able to map ProjectCollections and Projects in the TFS_Warehouse database, they are in DimTeamProject.
But ee are not able to map Team Name in TFS_Warehouse / TFS_FabrikamFibreCollection database.
If you have any idea about Team Name mappings with DB tables please let me know.
This is the closest solution I found for your question:
SELECT map.[TeamId]
,map.[ProjectId]
,proj.[ProjectNodeName] AS [Team Project Name]
,ado.[SamAccountName] AS [Team Name]
FROM [Tfs_FabrikamFibreCollection].[dbo].[tbl_TempTeamProjectMapping] map
JOIN [Tfs_Warehouse].[dbo].[DimTeamProject] proj ON map.[ProjectId] = proj.[ProjectNodeGUID]
JOIN [Tfs_FabrikamFibreCollection].[dbo].[ADObjects] ado ON map.[TeamId] = ado.[TeamFoundationId]
For some reason, the [tbl_TempTeamProjectMapping] table includes the default security groups (Readers, Contributors, Project Administrators, etc.) but these can easily be filtered out of the results.
We don't suggest handle database directly. You can create Excel reports instead. Usually, when we create a Team, we'll create an area path with the name of the team. So you can try to select Area Path in the field:
I'd recommend staying away from the SQL and use the TFS API. The following PowerShell invokes the TFS client namespace and brings back the collections and projects.
#region Get-TfsSummary
function Get-TfsSummary{
param(
[parameter(Position=0,HelpMessage=' Full server name. e.g. tfsServer.domain.net',Mandatory)]
[string]
$serverFQDN, # eg 'tfsServer.domain.net'
[parameter(Position=1,HelpMessage=' port used to access the TFS server e.g. 8080')]
[string]
$serverPort, # eg '8080'
[parameter(Position=2,HelpMessage=' The root virtual directory for TFS. Default is tfs e.g. tfs ')]
[string]
$tfsRootNode # eg 'tfs'
)
Add-Type -AssemblyName "Microsoft.TeamFoundation.Client, Version=12.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
$tfsUri = 'http://' + $serverFQDN + ':' + $serverPort +'/' + $tfsRootNode + '/'
$tfsConfigurationServer = [Microsoft.TeamFoundation.Client.TfsConfigurationServerFactory]::GetConfigurationServer($tfsUri)
$tpcService = $tfsConfigurationServer.GetService("Microsoft.TeamFoundation.Framework.Client.ITeamProjectCollectionService")
$sortedCollections = $tpcService.GetCollections() | Sort-Object -Property Name
$numberOfProjects = 0
$numberOfStoppedCollections = 0
$numberOfStartedProjects = 0
$numberOfStoppedProjects = 0
$isStopped = ''
foreach($collection in $sortedCollections) {
$collectionUri = $tfsUri + "/" + $collection.Name
$tfsTeamProject = [Microsoft.TeamFoundation.Client.TfsTeamProjectCollectionFactory]::GetTeamProjectCollection($collectionUri)
try {
$cssService = $tfsTeamProject.GetService("Microsoft.TeamFoundation.Server.ICommonStructureService4")
}catch{}
$sortedProjects = $cssService.ListProjects() | Sort-Object -Property Name
if($collection.State -eq 'Stopped'){
$isStopped = ' but is stopped'
$numberOfStoppedCollections++
$numberOfStoppedProjects += $sortedProjects.Count
}
Write-Host "`n" $collection.Name "(" $collection.Id ")- contains" $sortedProjects.Count "project(s)$isStopped"
$isStopped = ''
foreach($project in $sortedProjects)
{
$numberOfProjects++
Write-Host (" - " + $project.Name + " (" + $project.Uri + ")")
}
}
$numberOfStartedProjects = $numberOfProjects - $numberOfStoppedProjects
Write-Host
Write-Host "Number of stopped collections " $numberOfStoppedCollections
Write-Host "Total number of project collections " $sortedCollections.Count
Write-Host "Online projects " $numberOfStartedProjects
Write-Host "Total number of projects " $numberOfProjects
}
#endregion Get-TfsSummary
#GET TEXT FILE WITH LIST OF "SAMACCOUNTNAME" TO LIST VARIABLE
$list = Get-Content C:\PSSCripts\listofusers.txt
#PULL INFORMATION FROM ACTIVE DIRECTORY TO USERRESULTS VARIABLE
$UserResults = Get-AdUser -filter * -searchbase "OU=THISOU,DC=THISDOMAIN,DC=int" -Properties displayname
#DETERMINE IF USER IS IN THE TXT LIST
foreach ($user in $UserResults)
{
if ($user.SamAccountName -in $list.SamAccountName)
{
#ECHO THEIR NAME TO VERIFY
write-host $user.displayName
}
}
#VERIFY USER TO BE OFFBOARDED VIA Y/N PROMPT - VISUALLY INSPECT LIST
$choice = ""
while ($choice -notmatch "[y|n]"){
$choice = read-host "The following user profiles have been loaded for offboarding. Do you want to continue? Please Verify the users before continuing. (Y/N)"
}
if ($choice -eq "y"){
# LOOP THROUGH USERS AND APPLY CHANGES
foreach ($user in $UserResults)
{
#DETERMINE IF USER IS IN TXT FILE
if ($user.SamAccountName -in $list.SamAccountName)
{
# DISABLE ACCOUNT
Disable-ADAccount -Identity $user
# CHANGE DISPLAYNAME AND DESCRIPTION TO DISPLAY TERMINATED - $USER
$newname = "Terminated - " + $user.displayName
Get-ADUser -Identity $user | Set-ADObject -Description $newname -DisplayName $newname
# CHANGE USER PASSWORD TO "Password1"
$password = "Password1" | ConvertTo-SecureString -AsPlainText -Force
Set-ADAccountPassword -NewPassword $password -Identity $user -Reset
# MOVE USER TO DIFFERENT LOCATION, Disabled Users organizational unit
Move-ADObject -Identity $user -TargetPath "OU=DisabledUsers,DC=THATDOMAIN,DC=int" -Confirm:$false
}
}
}
else {write-host "Script aborted!"}
Getting the following error:
*You must provide a value expression on the right-hand side of the '-' operator. At :11 char:29
if ($user.SamAccountName - <<<< in $list.SamAccountName)
Category Info : ParserError (:) [], ParseException
FullyQualifiedErrorID : ExpectedValueExpression
I have a list of users in a text file with the header SAMACCOUNTNAME. These users are being checked against the list of users in a particular OU. Powershell will echo the list of users in my text list to me (after having checked it against all the users in that OU in AD - to verify nothing is being offboarded / changed in error), prompt to verify (y|n) before moving forward and executing a script I wrote with the help of some redditors from /r/powershell earlier.
I'm not understanding why I'm getting this error, is
-in $list.SamAccountName
Not correct?
Thanks for the help, stackoverflow! First time posting, looking forward to getting better with Powershell and giving back to the community.
You should use "-eq" or "-contains" (I am not sure what is a scalar value and what is an array in your program).
Need help with part of this PS script. I am basically need to read the content of a file (look for word imported). New file is generated every day with the format power_XX.log
XX represents the day of the month.
Don't know what I am overlooking , but if the file exists and word "imported" is found it should generated a true.
Thanks in advance
************************
#today is a working day
$today = (get-date).day
$fileofday = Get-ChildItem -Path \\noctest1\c$\temp\*.log ('power_' + $today + '.log')
if ($fileofday -and (select-string -Path '\\noctest1\c$\temp\*.log ($fileofday)'-Pattern 'imported' -Quiet))
*******************************************
$today = (get-date).day;
$filePath = join-path -path "\\noctest1\c`$\temp" -childpath $("power_$today.log");
$importedFound = $false;
$todayFileExists = test-path $filePath
if ($todayFileExists) {
$importedFound = select-string $filePath -pattern "imported" -quiet;
}
$importedFound is now true if the file was found and contains "imported", otherwise it's false.
Sorry if SO is not the best place, but I have time-tracking enabled in JIRA and want to be able to generate a time-report for each user over a given date range. The only time-tracking report option I have is very limited and doesn't do what I want, is it possible through standard functionality or a free plugin perhaps?
You might want to check out Tempo Plugin for JIRA timetracking. It offers timesheets, reports and gadgets on user, team, project, and customer levels.
how about this one:
https://plugins.atlassian.com/plugin/details/294
If you don't want to pay a lot of money for a simple action like getting a summary of time per user.
I found this flow useful:
Create a filter that you like to measure (I measure time only by sub tasks)
Export it to excel
Copy and paste it into a google docs spreadsheet
In google docs you have an option to create a Pivot Table, so just create one that the rows are the assignees and the values are the time
You can also create a calculated column to get the time in hours (just divide it by 3600)
Hope it helps
Using the Better Excel Plugin you can take advantage of all reporting features in Microsoft Excel.
This plugin exports any sort of JIRA data (including issue fields and worklogs) to custom Excel templates. The templates can use filtering to the date range, and can display your report in an Excel pivot table. If you need further dimensions (like additional grouping by project, by component, by week, by month, etc.), these are super simple to add. You can also visualize the output in a pivot chart.
Tip: there is a default template included in the plugin, called worklog-report.xlsx, which can be used as is, or as starting point for further customization. It looks like this (there is a time-by-project pivot chart in the first worksheet, but I don't have a screenshot about that):
After the template is created, you can merge that with the most current JIRA data any time by a single click, or even generate it and email it to you automatically.
Disclaimer: I'm a developer working on this paid add-on.
You can easily do it with Everhour add-on for JIRA. It allows receiving a comprehensive report for each user over a given date range. And you are absolutely free to build any other layout of your reports and add as many data columns as you need.
Jira Sample Report - Everhour
If you're on Windows you can run the following powershell script to extract the data to CSV file.
## Instructions ##
Open Powershell ISE (It's installed to all windows 7 and later PCs)
Create a new PowerShell script (ctrl+n)
Paste the text from the following code block into the new file
##################################################################
# Variables
##################################################################
$username = "myname#asdf.com"
$password = Read-host "What's your Jira password?" -AsSecureString
#$password = ""
$jiraDomain = "asdf.atlassian.net"
$projectKey = "ABC"
$startDate = [datetime]::ParseExact('2017-05-08', 'yyyy-MM-dd', $null)
$endDate = Get-Date
#Get-Date = today
$csvFileName =c:\temp\Worklog.csv
##################################################################
# Functions
##################################################################
function get-jiraData {
param( [string]$restRequest)
Invoke-RestMethod -Headers #{Authorization=("Basic {0}" -f $base64AuthInfo)} -Uri $restRequest
}
function get-issues {
param( [string]$projectName)
$uri = "https://${jiraDomain}/rest/api/2/search?jql=project=${projectName}"
$issuesPage = get-jiraData -RestRequest $uri
#write first batch of issues
$issuesPage.issues
#do next batches
do {
$startAt = $issuesPage.maxResults + 1
$uri = "https://${jiraDomain}/rest/api/2/search?jql=project=${projectName}&startAt=$startAt"
$issuesPage = get-jiraData -RestRequest $uri
#write next batch of issues
$issuesPage.issues
} while (($issuesPage.startAt + $issuesPage.maxResults) -lt $issuesPage.total)
}
filter convert-worklog {
$worklog = New-Object System.Object
$worklog | Add-Member –type NoteProperty –Name Person –Value $_.author.name
$worklog | Add-Member –type NoteProperty –Name IssueKey –Value $key
$startDate = [datetime]::ParseExact($_.started.Substring(0,16), 'yyyy-MM-ddTHH:mm', $null)
$worklog | Add-Member –type NoteProperty –Name DateLogged –Value $startDate
$TimeMinutes = $_.timeSpentSeconds / 60
$worklog | Add-Member –type NoteProperty –Name TimeSpent –Value $TimeMinutes
$worklog | Add-Member –type NoteProperty –Name Comment –Value $_.comment
$worklog
}
filter extract-worklogs {
#$key = "WL-22"
$key = $_.key
$uri = "https://${jiraDomain}/rest/api/2/issue/${key}/worklog"
$worklogsPage = get-jiraData -RestRequest $uri
#write first batch of worklogs
$worklogsPage.worklogs | convert-worklog
#Check for another batch of worklogs
do {
$startAt = $worklogsPage.maxResults + 1
$uri = "https://${jiraDomain}/rest/api/2/issue/${key}/worklog?startAt=$startAt"
$worklogsPage = get-jiraData -RestRequest $uri
#write next batch of worklogs
$worklogsPage.worklogs | convert-worklog
} while (($worklogsPage.startAt + $worklogsPage.maxResults) -lt $worklogsPage.total)
}
##################################################################
# Execution
##################################################################
#Setup Authentication variable
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $username,$password)))
#This grabs all the worklogs for a project, then filters them by
$WorkLogs = get-issues -projectName $projectKey | extract-worklogs | ?{ $_.DateLogged -gt $startDate -and $_.DateLogged -lt $endDate } | sort DateLogged
$WorkLogs | export-csv $csvFileName -NoTypeInformation
Modify the variables at the start of the file
Save as a powershell script somewhere on your PC
Run the script by double clicking it