Query list of servers for a specific event in the log

If you encounter a situation When a KB package was installed, and you may need to get a list of servers that are pending reboot or just to see what systems are affected.


First, identify a system that you know was affected and search Event Viewer for the patching event.
Find the event id



Identify the log name i.e. System or Setup




Now you can use PowerShell to scan all the systems that were affected.



Review comments in code below and make required changes

#Written by Paul Zanbaka

#start time change in order to narrow the date/time
$StartTime=Get-Date -Year 2018 -Month 1 -Day 10 -Hour 12 -Minute 00
$EndTime=Get-Date  -Year 2018 -Month 1 -Day 11 -Hour 14 -Minute 00

#Enter the systems in Scan.txt

foreach ($ServerName in get-content C:\pzscripts\scan.txt) {

#This should be blank text file

$File ="C:\pzscripts\found.txt"

#Change Log Name, Event id and KB number

try {
write-Host $ServerName
Get-WinEvent -FilterHashtable @{logname = 'System'; id = 43;StartTime=$StartTime;EndTime=$EndTime } -ComputerName $ServerName -ErrorAction Stop | Select message |Select-String -SimpleMatch 'KB4038793' -AllMatches
 $ServerName  | Out-File $File  -Append


}
catch [Exception] {
        if ($_.Exception -match "No events were found that match the specified selection criteria") {
        Write-Host "No events found" -ForegroundColor red;
                 }
    }


Comments

Post a Comment

Popular posts from this blog

SCORCH 2016 Migration issue: an error occurred saving the activity to the data store Please check the orchestrator management service trace logs

Issue  After migrating to System Center Orchestrator 2016,  you encounter this error: An error occurred saving the activity to the data store Please check the orchestrator management service trace logs  The Management Service log (C:\ProgramData\Microsoft System Center 2012\Orchestrator\ManagementService.exe\Logs) contains only thes line for every attempt 2015-10-15 12:45:02 [3752] 1 COpalisManager::ModifyObject::CheckAccess (HRESULT=0x80070005) 2015-10-15 13:16:09 [3176] 1 COpalisManager::ModifyObject::CheckAccess (HRESULT=0x80070005) 2015-10-15 13:17:21 [3176] 1 COpalisManager::ModifyObject::CheckAccess (HRESULT=0x80070005) Cause This happens because the Runbook has an Email activity with attachment. This is a known bug with System Center Orchestrator 2016. Workaround If you only have few runbooks with  Email activity with attachment .you can perfrom these 2 workarounds: 1)  You need to remove the attachements and re-add in order to ch...
Read more

Useful Orchestrator T-SQL Queries

In this article, I will share some useful T-SQL queries for Orchestrator 2012. --List all active Runbooks in your environment SELECT       [Name]       FROM [Orchestrator].[dbo].[POLICIES]   where [Deleted] = '0' --Find Runbook/Parameter GUIDs for Web Service call Select lower(POLICIES.UniqueID) as RunbookID, lower(CUSTOM_START_PARAMETERS.UniqueID) as ParameterID, CUSTOM_START_PARAMETERS.value From POLICIES INNER JOIN OBJECTS  on POLICIES.UniqueID = OBJECTS.ParentID LEFT OUTER JOIN CUSTOM_START_PARAMETERS on OBJECTS.UniqueID = CUSTOM_START_PARAMETERS.ParentID Where POLICIES.Name = 'CloseIncident' and policies.deleted = 0 --List  Runbooks are currently running SELECT J.[RunbookId], P.[Name], A.[Computer] FROM [Orchestrator].[Microsoft.SystemCenter.Orchestrator.Runtime.Internal].[Jobs] J INNER JOIN [dbo].POLICIES P ON J.RunbookId = P.UniqueID INNER JOIN [dbo].[ACTIONSERVERS] A ON J.RunbookServerId = A.UniqueID WHER...
Read more

Error in Orchestrator Web console and Web Service after moving Database

Image
I encountered these errors with Orchestrator Web console and Web Service Web console Errors: 1) Error executing the current operation [Arg_SecurityException] [ httpWebRequest_WebException_RemoteServer] Arguments: NotFound Debugging resource strings are unavailable. Often the key and arguments provide sufficient information to diagnose the problem 2) Error executing the current operation. Web Service Error: Orchestrator server encountered an error processing the request. The exception message is 'Keyword not supported: 'server'.'. See server logs for more details This happened after moving the database server. However, I have used the same process to fix issues with Web Console after a new installation. I updated the Data Store Configuration and the connection string in IIS Manager. This was recommended by this post: https://social.technet.microsoft.com/Forums/en-US/c3afc430-5811-4c8c-a797-79c98459d792/console-fails-to-open-error-executi...
Read more