EventLog is moved, but Path is never changed

matthias-schlimm commented 6 years ago

issues with Event log redirections on some Projects, i beleive the commonality is IF BIS-F is run to move the event logs to say "D: but then that needs to be changed to "E" - I am not sure why, but it only changes some event logs and leaves the rest broken

Fix it with the following script https://gallery.technet.microsoft.com/scriptcenter/Change-the-path-of-the-f86d2427

EUCweb commented 6 years ago

Function Set-EventlogPath ([string]$Computername=$env:COMPUTERNAME,[string]$NewLogDir) 
{ 
    [reflection.assembly]::loadwithpartialname("System.Diagnostics.Eventing.Reader") 
    $Eventlogsession = New-Object System.Diagnostics.Eventing.Reader.EventLogSession -ArgumentList $Computername 
    Foreach($LogName in $Eventlogsession.GetLogNames())    { 
        $Eventlogconfig = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration -ArgumentList $LogName,$Eventlogsession 
        $Logfilepath = $Eventlogconfig.LogFilePath 
        $Logfile = Split-Path $Logfilepath -Leaf 
        $NewLogFilePath = "$NewLogDir\$Logfile" 
 
         Write-Host -ForegroundColor Yellow $LogName,$Logfilepath,$Eventlogconfig.LogType 
         
        if (($Eventlogconfig.LogType -eq "Debug" -or$Eventlogconfig.LogType -eq " Analytical") -and $Eventlogconfig.IsEnabled) 
        { 
            $Eventlogconfig.IsEnabled = $false 
            $Eventlogconfig.SaveChanges()  
 
            $Eventlogconfig.LogFilePath = $NewLogFilePath 
            $Eventlogconfig.SaveChanges()  
 
            $Eventlogconfig.IsEnabled = $true 
            $Eventlogconfig.SaveChanges() 
            } 
        else 
        { 
            $Eventlogconfig.LogFilePath = $NewLogFilePath 
            $Eventlogconfig.SaveChanges() 
            } 
        } 
    }

EUCweb commented 6 years ago

function Move-EvtLogs

{

    <#

    .Synopsis

       Enable all Eventlog and move Eventlogs to E:\Eventlogs

    .DESCRIPTION

    .EXAMPLE

       Example of how to use this cmdlet

    .EXAMPLE

       Another example of how to use this cmdlet

    .INPUTS

       Inputs to this cmdlet (if any)

    .OUTPUTS

       Output from this cmdlet (if any)

    .NOTES

        Author: Matthias Schlimm

        Company: Login Consultants Germany GmbH

        History

        Last Change: 29.07.2017 MS: function created, thx to Bernd Braun

        Last Change: 01.08.2017 MS: if custom eventlog folder is enabled in ADMX; use this instead of BIS-F standard

        Last Change: 02.08.2017 MS: change to new ADMX structure to get custom EventLog foldername

        Last Change: 11.11.2017 MS: Bugfix, show the right Eventlog during move to the WCD

    .COMPONENT

       The component this cmdlet belongs to

    .ROLE

       The role this cmdlet belongs to

    .FUNCTIONALITY

       Enable all Eventlog and move Eventlogs to the PVS WriteCacheDisk if Redirection is enabled function Use-BISFPVSConfig  #>

    #>

    Write-BISFFunctionName2Log -FunctionName ($MyInvocation.MyCommand | % {$_.Name})  #must be added at the begin to each function 

    # test if custom searchfolder is enabled

    IF ($LIC_BISF_CLI_EVTb -eq "1") {$Global:LIC_BISF_EvtPath = "$PVSDiskDrive\$LIC_BISF_CLI_EvtFolder"}

    Write-BISFLog -Msg "Move Eventlogs to the PVS WriteCacheDisk" -ShowConsole -Color Cyan

    If (!(Test-Path -Path $LIC_BISF_EvtPath)) 

    {

        Write-BISFLog -Msg "Create Eventlog directory $LIC_BISF_EvtPath"

        New-Item -Path $LIC_BISF_EvtPath -ItemType Directory -Force

    }

    $appvlogs = Get-WinEvent -ListLog "*" -force -ErrorAction SilentlyContinue| Where-Object {$_.IsEnabled -eq $false}

    foreach ($logitem in $appvlogs) {

         $x = $logitem.LogName

         Write-BISFLog -Msg "Eventlog enabled: $x"

     #    $logitem.IsEnabled = $true

         $LogfilePath = "$LIC_BISF_EvtPath\" + $logitem.logName + ".evtx"

         $Logfilepath = $LogFilePath.Replace("/", "")

         Write-BISFLog -Msg "Path:`t`t $LogfilePath" -ShowConsole -SubMsg -Color DarkCyan

         $logitem.LogFilePath = $Logfilepath

         Try {

            $logitem.SaveChanges()

         }

         Catch [System.Management.Automation.MethodInvocationException] {

            #$Error | Get-Member

            #$Error.Data

            #$Error.ErrorRecord

            #$Error.Errors

            $x = $_.Exception.Message

            Write-BISFLog -Msg “Error:`t`t $x" -Type W

            #Exit

         }

         Catch {

            $Error[0].Exception.GetType().fullname

         }

        # Write-BISFLog -Msg "`n`n"

    }

    $appvlogs = Get-WinEvent -ListLog "*" -force -ErrorAction SilentlyContinue| Where-Object {$_.IsEnabled -eq $true}

    foreach ($logitem in $appvlogs) {

         $x = $logitem.LogName

         Write-BISFLog -Msg “Log enabled: $x"

    #     $logitem.IsEnabled = $true

         $LogfilePath = "$LIC_BISF_EvtPath\" + $logitem.logName + ".evtx"

         $Logfilepath = $LogFilePath.Replace("/", "")

         Write-BISFLog -Msg "Path:`t`t $LogfilePath" -ShowConsole -SubMsg -Color DarkCyan

         $logitem.LogFilePath = $Logfilepath

         Try {

            $logitem.SaveChanges()

         }

         Catch [System.Management.Automation.MethodInvocationException] {

            #$Error | Get-Member

            #$Error.Data

            #$Error.ErrorRecord

            #$Error.Errors

            $x = $_.Exception.Message

            Write-BISFLog -Msg “Error:`t`t $x" -Type W

            #Exit

         }

         Catch {

            $Error[0].Exception.GetType().fullname

         }

         #Write-BISFLog -Msg "`n`n"

    }

    $appvlogs = Get-WinEvent -ListLog "Microsoft-Windows-TerminalServices-SessionBroker-*" -force -ErrorAction SilentlyContinue| Where-Object {$_.IsEnabled -eq $true}

    foreach ($logitem in $appvlogs) {

         $x = $logitem.LogName

         Write-BISFLog -Msg “Log enabled: $x"

         $logitem.IsEnabled = $false

         $LogfilePath = "$LIC_BISF_EvtPath\" + $logitem.logName + ".evtx"

         $Logfilepath = $LogFilePath.Replace("/", "")

         Write-BISFLog -Msg "Path:`t`t $LogfilePath" -ShowConsole -SubMsg -Color DarkCyan

         $logitem.LogFilePath = $Logfilepath

         Try {

            $logitem.SaveChanges()

         }

         Catch [System.Management.Automation.MethodInvocationException] {

            #$Error | Get-Member

            #$Error.Data

            #$Error.ErrorRecord

            #$Error.Errors

            $x = $_.Exception.Message

            Write-BISFLog -Msg “Error:`t`t $x" -Type W

            #Exit

         }

         Catch {

            $Error[0].Exception.GetType().fullname

         }

         #Write-BISFLog -Msg "`n`n"

    }

    $appvlogs = Get-WinEvent -ListLog "Microsoft-Windows-TerminalServices-SessionBroker-*" -force -ErrorAction SilentlyContinue| Where-Object {$_.IsEnabled -eq $false}

    foreach ($logitem in $appvlogs) {

         $x = $logitem.LogName

         Write-BISFLog -Msg “Log enabled: $x"

         $LogfilePath = "$LIC_BISF_EvtPath\" + $logitem.logName + ".evtx"

         $Logfilepath = $LogFilePath.Replace("/", "")

         Write-BISFLog -Msg "Path:`t`t $LogfilePath" -ShowConsole -SubMsg -Color DarkCyan

         $logitem.LogFilePath = $Logfilepath

         Try {

            $logitem.SaveChanges()

         }

         Catch [System.Management.Automation.MethodInvocationException] {

            #$Error | Get-Member

            #$Error.Data

            #$Error.ErrorRecord

            #$Error.Errors

            $x = $_.Exception.Message

            Write-BISFLog -Msg “Error:`t`t $x" -Type W

            #Exit

         }

         Catch {

            $Error[0].Exception.GetType().fullname

         }

         #Write-BISFLog -Msg "`n`n"

    }

}

matthias-schlimm commented 5 years ago

can't reproduce this issue on a new image many times. All logs are redirected ? The new function, also tested but it's not working. The redirected logs are stored in the BIS-F installation folder instead of the writeCacheDisk.

Move the issue outside of this Milestone

anometric commented 4 years ago

Hello Matthias, do you still have this set-eventlogpath powershell script? It is not available anymore from that website https://gallery.technet.microsoft.com/scriptcenter/Change-the-path-of-the-f86d2427

Many thanks!

Günther

matthias-schlimm commented 4 years ago

If I open up the url the script is available

Send from my mobile device

Am 25.02.2020 um 16:00 schrieb anometric notifications@github.com:

Hello Matthias, do you still have this set-eventlogpath powershell script? It is not available anymore from that website https://gallery.technet.microsoft.com/scriptcenter/Change-the-path-of-the-f86d2427

Many thanks!

Günther

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub, or unsubscribe.

anometric commented 4 years ago

OK thanks but I can only see this: Set-Eventlogpath -Computername <> -NewLogDir <> And set-eventlogpath is not recognized on my windows 10 or Windows 2016 powershell. Am I missing something?

EUCweb commented 3 years ago

can't reproduce this issue

anometric commented 3 years ago

Thanks it's OK now!

Op vr 18 sep. 2020 om 13:34 schreef EUCweb.com notifications@github.com:

can't reproduce this issue

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/EUCweb/BIS-F/issues/42#issuecomment-694816443, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOU6NFFZ2SHSPJP5QCTR2RDSGNASZANCNFSM4FCDI6HA .

--

Met vriendelijke groet,

Günther Imbrechts

matthias-schlimm commented 3 years ago

integrated into develoeper branch

matthias-schlimm commented 3 years ago

the new event log move function in the BISF.psm1 module seems to create a bunch of 1KB .evtx and .etl files under the "C:\Program Files (x86)\Base Image Script Framework (BIS-F)" folder during preparation. It does move the Event Logs to the write cache disk. Needs some further investigation.