MSP Programs & Scripts Code
Programs and PowerShell Scripts for MSP/RMM Admins
Brought to you by:
theitguys
Menu
▾
▴
Tree [55dae9] master / util-eventLog / event-log-check-fs / History
| File | Date | Author | Commit |
|---|---|---|---|
| CheckFolder_ThenEvtLog.ps1 | 2019-05-29 |
theitguys
|
[00796e] setting up new repo |
| ReadMe.txt | 2019-05-29 |
theitguys
|
[00796e] setting up new repo |
Read Me
Readme for RMM-CheckFS-to-EventLog
usage: .\RMM-CheckFS-to-EventLog.ps1
[-f|-folder "<targetFolder>"]
[-r|-recurse] <--- default is NO/false
[-h|-hoursOld <integer>] <--- default value is 48 (hours)
[-ln|-logEvName "<what you created>"]
[-ls|-logSource "<see choices you created>"]
[-t|-entryType "<defaults to Information>"]
[-id|-eventId <integer>]
[-d|-debugging]
This script reports on any file in a target directory (non-recursive for now) that is created withint X number of hours. It then will make an entry in the Event Log on that or a target computer, with details of all the files it found.
The need for this came from a NinjaRMM MSP needing to be notified when a backup had been completed, within 48 hours of the time the script being run. NinjaRMM, and others, acn run PS scripts on schedules, and if that script writes to an event log, that same RMM can pick that event up, turning it into actions, like notifications, installations, or anything.
#####
#
# This creates the NinjaRMM logs in Event Viewer (OK to run over & over-ignores if already there; complains on command line)
#
# hint: Don't make these up on the fly (uding $logEvName, $logSource), or you will end up with accidental dupes. Hard code here,
# or in another script you run periodically.
#
$eventLogParams = @{
LogName = 'NinjaRMM Log'
Source = 'Threats','Backups','Sensors','Info'
}
New-EventLog @eventLogParams
#
# EntryTypes: Error, Warning, Information [SuccessAudit, FailureAudit]
#
# ...in this example, we'll be using "Backups" & "Information"
#
######
The above portion of the script includes how to create an event log and event sources, if one chooses to use their own. For RMMs this is advisable, as more common logs are quite verbose and duplicate event ids can occur. Also, it is easier to find your own log in the Event Viewer application.
pat@itguys.business
P.S. If your logs are already setup, and you run on the command line asking the script to make them again, no big deal. It just harmlessly carps:
New-EventLog : The "Threats" source is already registered on the "localhost" computer.
At C:\PSScripts\CheckFolder_ThenEvtLog.ps1:79 char:1
+ New-EventLog @eventLogParams
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-EventLog], InvalidOperationException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.NewEventLogCommand
New-EventLog : The "Backups" source is already registered on the "localhost" computer.
At C:\PSScripts\CheckFolder_ThenEvtLog.ps1:79 char:1
+ New-EventLog @eventLogParams
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-EventLog], InvalidOperationException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.NewEventLogCommand
New-EventLog : The "Sensors" source is already registered on the "localhost" computer.
At C:\PSScripts\CheckFolder_ThenEvtLog.ps1:79 char:1
+ New-EventLog @eventLogParams
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-EventLog], InvalidOperationException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.NewEventLogCommand
New-EventLog : The "Info" source is already registered on the "localhost" computer.
At C:\PSScripts\CheckFolder_ThenEvtLog.ps1:79 char:1
+ New-EventLog @eventLogParams
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-EventLog], InvalidOperationException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.NewEventLogCommand
