Re: Working with PowerShell Transcript Log Files

vMarkusK1985 · ‎05-31-2017

Hallo,

has anyone tried to properly collect PowerShell Transcript Log Files?

Default is that each Line is a New Event, that does no work properly in case of errors and multi Line Messages. I also tried with my own Event marker, but that is not really flexible.

Normal Log:

**********************

Windows PowerShell transcript start

Start time: 20170531171206

Username:

RunAs User:

Machine:

Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe

Process ID: 7024

**********************

Transcript started, output file is D:\Dev\VmConfigTrigger\Output-05312017-051206.txt

vmConfigTrigger log Number 05312017-051206 Starts

'2' VMs were found in Config File to Process.

Name RAM CPU

---- --- ---

test 1

aijuPrpMNIOhRotQzSmDUqHBJAkTwGYVKCdxWFfcXegvZEbysnlL 1 1

'1' VMs found with matching Name Pattern 'test'

WARNING: Name 'test' Not Unique Identified in VM 'TESTSCCMDMH2'!

'1' VMs found with matching Name Pattern 'aijuPrpMNIOhRotQzSmDUqHBJAkTwGYVKCdxWFfcXegvZEbysnlL'

VM 'aijuPrpMNIOhRotQzSmDUqHBJAkTwGYVKCdxWFfcXegvZEbysnlL' Unique Identified!

VM 'aijuPrpMNIOhRotQzSmDUqHBJAkTwGYVKCdxWFfcXegvZEbysnlL': Needs RAM Change. '1' GB RAM.

VM 'aijuPrpMNIOhRotQzSmDUqHBJAkTwGYVKCdxWFfcXegvZEbysnlL': Needs CPU Change. '1' vCPU.

VM 'aijuPrpMNIOhRotQzSmDUqHBJAkTwGYVKCdxWFfcXegvZEbysnlL': Actual vCPU´s. '1'.

VM 'aijuPrpMNIOhRotQzSmDUqHBJAkTwGYVKCdxWFfcXegvZEbysnlL': New vCPU´s. '1'.

VM 'aijuPrpMNIOhRotQzSmDUqHBJAkTwGYVKCdxWFfcXegvZEbysnlL': vCPU´s already fine.

**********************

Windows PowerShell transcript end

End time: 20170531171207

**********************

Log With an Error:

**********************

Windows PowerShell transcript start

Start time: 20170531171747

Username:

RunAs User:

Machine:

Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe

Process ID: 7024

**********************

Transcript started, output file is D:\Dev\VmConfigTrigger\Output-05312017-051747.txt

vmConfigTrigger log Number 05312017-051747 Starts

PS>TerminatingError(ConvertFrom-Json): "Invalid JSON primitive:

{

"Name": "aijuPrpMNIOhRotQzSmDUqHBJAkTwGYVKCdxWFfcXegvZEbysnlL",

"RAM": "1",

"CPU": "1"

}

]

."

ConvertFrom-Json : Invalid JSON primitive:

{

"Name": "aijuPrpMNIOhRotQzSmDUqHBJAkTwGYVKCdxWFfcXegvZEbysnlL",

"RAM": "1",

"CPU": "1"

}

]

.

At D:\Dev\VmConfigTrigger\VmConfigTrigger.ps1:35 char:77

+ [Array] $Configs = Get-Content -Raw -Path "$PSScriptRoot\Config.json" | Conv ...

+ ~~~~

+ CategoryInfo : NotSpecified: (:) [ConvertFrom-Json], ArgumentException

+ FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.ConvertFromJsonCommand

D:\Dev\VmConfigTrigger\VmConfigTrigger.ps1 : Failed to Read Config File!

+ CategoryInfo : InvalidData: (:) [Write-Error], WriteErrorException

+ FullyQualifiedErrorId : FailedReadConfigFile,VmConfigTrigger.ps1

D:\Dev\VmConfigTrigger\VmConfigTrigger.ps1 : A Global Error occured, Script will stop! Problem needs to be resolved and then the Script can be restarted,

+ CategoryInfo : OperationStopped: (:) [Write-Error], WriteErrorException

+ FullyQualifiedErrorId : GlobalError,VmConfigTrigger.ps1

**********************

Windows PowerShell transcript end

End time: 20170531171747

**********************

Maybe a special Parser or some PS Tricks can do that, or Transcript is a Bad Idea at all... Any help is welcome.

Kind Regards,

Markus

https://mycloudrevolution.com | https://twitter.com/vMarkus_K | https://github.com/vMarkusK

admin · ‎05-31-2017

Hi Markus,

I have not done the powershell transcript log files before, but Can you upload a sample log here I can try this for you and get back to you?

Thanks,

-Yogita.

vMarkusK1985 · ‎05-31-2017

I have added two examples.

https://mycloudrevolution.com | https://twitter.com/vMarkus_K | https://github.com/vMarkusK

admin · ‎05-31-2017

Thanks for the samples. But can you attach the file as a sample? I would like to know if one log file can contains multiple instance of logs starting with this as the header -

**********************
Windows PowerShell transcript start
Start time: 20170531171747
Username:
RunAs User:
Machine:
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
Process ID: 7024
**********************

Or if this is a file header and not a log header.

admin · ‎05-31-2017

If you'd rather not attach it here you can send it to yogitap@vmware.com

sflanders · ‎05-31-2017

Hey Markus -- "event_marker" should be very flexible. Given your example, try:

event_marker=^**********************\nWindows PowerShell transcript start

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===

vMarkusK1985 · ‎06-01-2017

Hey Steve.

I think the event_marker itself is not the Problem. With my Marker (^vmConfigTrigger\slog\sNumber\s\d{8}\-\d{6}\sStarts) and also with yours the log Collection ist starting correct. At the moment the Problem that the collection stops during the transcript:

Log Insight Event:

Original File:

In Case of an Error in the PS Script before the line where vLI Agent normally stops collecting the whole File is visible ein vLI:

https://mycloudrevolution.com | https://twitter.com/vMarkus_K | https://github.com/vMarkusK

sflanders · ‎06-01-2017

Hmm, for fun can you configure the agent to collect a log file that DOES NOT exist yet, then copy an existing log file you already have (like the example above) to a file name that the agent will pick up and see if it works? Almost sounds like the issue is the log file is written to slowly and the agent is unable to pick up the changes (on error the file is likely written to quickly).

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===

vMarkusK1985 · ‎06-01-2017

Pasting the whole file results in the same Problem...

I gave up. It was faster to create / adapt my own Logging mechanism.

https://mycloudrevolution.com | https://twitter.com/vMarkus_K | https://github.com/vMarkusK

admin · ‎06-01-2017

Ok I got this to work. Thanks for sending me the log files.

[filelog|yogi_importer_test]

directory = **

include = *

tags={"product" : "powershell"}

event_marker = ^\*+\r\nWindows PowerShell transcript start

I used the loginsight importer tool to import the files so my directory field is ** but yours will point to the folder location. The trick was the carriage return character before the line feed char.

vMarkusK1985 · ‎06-02-2017

Thanks für your investigation.

But I have already created my own PowerShell Log Function. Works way Cleaner than Native Transcript.

https://mycloudrevolution.com | https://twitter.com/vMarkus_K | https://github.com/vMarkusK

ben_turner_ · ‎10-22-2018

Appreciating that this is an old thread, I am trying to achieve this exact task at the moment.

I think as you have suggested Steve this is happening as the log file isn't being written to quick enough for the agent to detect that this is all part of the same event. Do we know what the "time out" is for the agent to disregard the lines in a log files as the same event when using the event marker?

Hoping there might be something that I can do within the agent to allow the whole event to show within LI - the strange thing is sometimes this works, and sometimes it doesn't.

Only thing I can think off currently is to monitor a separate file that I write the PowerShell transcript to in one hit which the agent should pick up on?

ben_turner_ · ‎10-25-2018

I used a slightly difference manner to get around this issue and still using the PowerShell Transcript function.

Essentially the Start-Transcript command writes to a "temp" log file. At each exit point in the script after the transcript has stopped I then get-content of the "temp" log file and append that to the end of a "permanent" log file. With the append command, I also specified UTF8 encoding. Log Insight only monitors the "permanent" log file and now does exactly what I wanted.

All

Working with PowerShell Transcript Log Files