Monday, February 13, 2012

Skimming a Hyper-V Service Event log with PowerShell

We are all used to opening up our friend the EventLog Viewer GUI.

But what do you do when you don’t have the GUI (Server Core or Hyper-V Server for example)?  How do you get to those trusted events?

Well, PowerShell of course!  And there are even two different cmdlets to get there.

Get-EventLog and Get-WinEvent

Get-EventLog focuses on the top level event logs; Application, System, PowerShell, Security.

Get-WinEvent can get you anything, any event log.  the hardest part is identifying the Event Logs for Get-WinEvent.

Recently I have been focused on disk conversion, so lets focus on that.  VHD conversion events are in the Hyper-V Image Management event log under the Operational log.

The Hyper-V Image Management service manages VHDs (disk images) and this is also an event provider. 

If you type; get-winevent -ProviderName "Microsoft-Windows-Hyper-V-Image-Management-Service"

you will get all events, Admin and Operational.  In my case I just want Operational events, so I can do direct to the log.

get-winevent -LogName Microsoft-Windows-Hyper-V-Image-Management-Service-Operational

I cheated when I went looking for the logs, you can’t browse them like the tree view in the GUI.  I used the GUI on one server to locate the log I needed and I inferred its name from the Properties screen.

The series of EventIds that I even care about are:

  • 15110 - creating a VHD
  • 15111 - successfully created (finished creating)
  • 15106 - converting a VHD from dynamic to fixed
  • 15107 - successfully converted (finished converting)
  • And any fails, but didn’t find any

    What I know is that I have a VM name in the SCVMM job log that I want to find the corresponding Hyper-V event(s).  That should give me something to filter on.  In the GUI I see the information in the General TAB, in the event object this is in the Message property.

    get-winevent -LogName Microsoft-Windows-Hyper-V-Image-Management-Service-Operational | where {$_.Message -match "Xd1kD0229"}

    In my case the name of the VM is “Xd1kD0229” and in searching the message of the Event this gives me any instance where this string of characters occurs.  In most of the events it is a folder in the Literal Path of the VHD file.

    Now, how might you get PowerShell enabled on Server Core or Hyper-V Server?

    At the Command prompt you can add the PowerShell and .Net features:

    DISM /Online /Enable-Feature /FeatureName: NetFx2-ServerCore

    DISM /Online /Enable-Feature /FeatureName: NetFx3-ServerCore

    DISM /Online /Enable-Feature /FeatureName: MicrosoftWindowsPowerShell

    You can then launch PowerShell in the same shell session:

    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

  • No comments: