powershell - Get-EventLog - valid message missing for some event log sources -

i'm pulling , filtering system event log data using get-eventlog. i'm finding get-event log not able correctly return message associated entries. these entries appear in event log viewer. e.g.

get-eventlog -logname system | ? { $_.source -eq "microsoft-windows-kernel-general" }

returns 8 entries, of have message of following form:

the description event id '12' in source 'microsoft-windows-kernel-general' cannot found.   local computer may not have necessary registry information or message dll files display message, or may not have permission access them.   following information part of event:'6', '1', '7601', '18798', '1', '0', '2015-06-13t08:33:32.359599800z'

if filter system event log same source, can see formed message. e.g

the operating system started @ system time ‎2015‎-‎06‎-‎13t08:33:32.359599800z.

i ran following see if other providers unable return valid event messages:

get-eventlog -logname system | ? { $_.message -like "the description event id*" }  | group-object -property source | select-object -property name  name ---- microsoft-windows-kernel-general dcom winrm microsoft-windows-iphlpsvc

i checked in event log viewer find corresponding entries dcom, winrm , iphlpsvc sources , confirmed correct message visible.

i've run test scripts in admin-level powershell console.

any ideas?

edit: further research has revealed psloglist appears suffer same problem, whereas wevtutil not.

edit: following suggestion windos, tried get-winevent. had tried , found return no message data @ all. tried again , found same result. tried

get-winevent -providername "microsoft-windows-kernel-general"

which produced following error

could not retrieve information microsoft-windows-kernel-general provider. error: locale specific resource desired message not present.

a little googling led me 'https://p0w3rsh3ll.wordpress.com/2013/12/13/why-does-my-get-winevent-command-fail/' had experienced same error message. suggested due regional settings. i'm in australia, 'format' setting in control panel 'english (australia)'. changed 'english (united states)', launched new ps console, confirmed get-culture in , re-ran get-winevent commands.

get-winevent -providername "microsoft-windows-kernel-general" | select-object -property message

lo , behold ...

message ------- system time has changed ?2015?-?07?-?12t01:06:52.405000000z ?2015?-?07?-?12t01:05:51.764208900z. system time has changed ?2015?-?07?-?12t01:05:09.671000000z ?2015?-?07?-?12t01:04:09.226010500z. system time has changed ?2015?-?07?-?12t01:03:49.119000000z ?2015?-?07?-?12t01:02:48.060593100z. system time has changed ?2015?-?07?-?12t01:02:32.128000000z ?2015?-?07?-?12t01:01:29.610105600z. system time has changed ?2015?-?06?-?13t08:41:12.267000000z ?2015?-?06?-?13t08:41:12.404273100z. operating system started @ system time ?2015?-?06?-?13t08:33:32.359599800z. operating system shutting down @ system time ?2015?-?06?-?13t08:33:05.091743100z. system time has changed ?2015?-?06?-?13t08:32:58.947000000z ?2015?-?06?-?13t08:32:58.947959900z.

sadly though - no change got get-eventlog

get-eventlog -logname system | ? { $_.source -eq "microsoft-windows-kernel-general" } | select-object -property message  message ------- description event id '1' in source 'microsoft-windows-kernel-general' cannot found.  local computer m... description event id '1' in source 'microsoft-windows-kernel-general' cannot found.  local computer m... description event id '1' in source 'microsoft-windows-kernel-general' cannot found.  local computer m... description event id '1' in source 'microsoft-windows-kernel-general' cannot found.  local computer m... description event id '1' in source 'microsoft-windows-kernel-general' cannot found.  local computer m... description event id '12' in source 'microsoft-windows-kernel-general' cannot found.  local computer ... description event id '13' in source 'microsoft-windows-kernel-general' cannot found.  local computer ... description event id '1' in source 'microsoft-windows-kernel-general' cannot found.  local computer m...

not sure on how or why, looks if opt get-winevent rather get-eventlog you'll info you're after.

it should noted when changing commands 'source' parameter known 'providername' command becomes:

get-winevent -logname system | { $_.providername -eq 'microsoft-windows-kernel-general' }

Search This Blog

Brant

powershell - Get-EventLog - valid message missing for some event log sources -

Comments

Post a Comment

Popular posts from this blog

javascript - Using jquery append to add option values into a select element not working -

Android soft keyboard reverts to default keyboard on orientation change -

Rendering JButton to get the JCheckBox behavior in a JTable by using images does not update my table -