Solved: Re: Restart information

NeenaJim · ‎10-30-2020

Hello,

Can someone please help me to how to find the restart information (Windows servers) such as: Date and time and who performed the task

I can get this last reboot information. But here I am looking the reboot information for past 6 months

is it possible via a script ?

LucD · ‎10-30-2020

This seems to work for me

Get-EventLog -LogName System |? {$_.EventID -eq 1074} |

ForEach-Object -Process {

$type = Select-String -InputObject $_.Message -Pattern "Shutdown Type: ([\w ]+)" | foreach{$_.Matches[0].Groups[1].Value}

if($type -eq 'restart'){

New-Object -TypeName PSObject -Property @{

Station = $_.MachineName

Date = $_.TimeGenerated

User = $_.UserName

}

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

View solution in original post

LucD · ‎10-30-2020

You have 2 options, you can look from the outside (with Get-VIEvent) and from inside the OS (Get-EventLog).

With Get-VIEvent cmdlet you would be looking for all VMGuestRebootEvent

Note that your vCenter needs to be configured to keep events that long.

$start = (Get-Date).AddMonths(-6)

Get-VIEvent -Start $start -MaxSamples ([int]::MaxValue) |

where{$_ -is [VMware.Vim.VMguestRebootEvent]} |

Select CreatedTime,@{N='VM';E={$_.VM.Name}},UserName

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

NeenaJim · ‎10-30-2020

Hello LucD,

Thank you for your response!

Here I am looking for a powershell script that I can run inside the OS.

Do you know what would be that?

LucD · ‎10-30-2020

Have a look at Windows Server restart / shutdown history - Server Fault

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

NeenaJim · ‎10-30-2020

Hello LucD

I already ran that coI ran that command and they are just showing the last restart information.

Get-EventLog -LogName System |? {$_.EventID -in (6005,6006,6008,6009,1074,1076)} | ft TimeGenerated,EventId,Message -AutoSize –wrap

LucD · ‎10-30-2020

This seems to work for me

Get-EventLog -LogName System |? {$_.EventID -eq 1074} |

ForEach-Object -Process {

$type = Select-String -InputObject $_.Message -Pattern "Shutdown Type: ([\w ]+)" | foreach{$_.Matches[0].Groups[1].Value}

if($type -eq 'restart'){

New-Object -TypeName PSObject -Property @{

Station = $_.MachineName

Date = $_.TimeGenerated

User = $_.UserName

}

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

NeenaJim · ‎10-30-2020

Hello LucD

Your script is working fine. Thank you for that. But the date is not showing completely. Can you please correct that too ?

LucD · ‎10-30-2020

That's due to the screen formatting.
Try feeding it to Format-Table, like this (the last line)

} | format-table -AutoSize

or just show it in a grid on screen

} | Out-GridView

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

NeenaJim · ‎10-30-2020

Hello LucD,

Thank you very much. That works.

Last question:

Is it possible to run this script against a different server (Eg Server name: 'Test1') from my local system ?

LucD · ‎10-30-2020

Use ComputerName on the Get-EventLog cmdlet.

Get-EventLog -ComputerName <name> -LogName System |? {$_.EventID -eq 1074} |

ForEach-Object -Process {

$type = Select-String -InputObject $_.Message -Pattern "Shutdown Type: ([\w ]+)" | foreach{$_.Matches[0].Groups[1].Value}

if($type -eq 'restart'){

New-Object -TypeName PSObject -Property @{

Station = $_.MachineName

Date = $_.TimeGenerated

User = $_.UserName

}

} | Out-GridView

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

All

Restart information