Eventlogs

Get-EventLog -List
Get-EventLog -list | Where-Object {$_.logdisplayname -eq "System"}
Get-EventLog -LogName _____ -Newest ___ -EntryType Warning,Error | Group-Object eventid | Sort-Object Name
Get-EventLog -LogName Application| fl source | findstr -i nutanix | select -uniq

  • Get-EventLog -LogName Application -Source NutanixHostAgent, NutanixCvmConsole, NutanixDiskMonitor -EntryType Warning,Error -Newest 10 | fl
  • Get-EventLog -LogName Application -Source *nutanix* -EntryType Warning,Error -Newest ____ | fl
Get-WinEvent -ListProvider * | fl Name | findstr -i nutanix
Name : Nutanix Disk Monitor
Name : NutanixCvmConsole
Name : NutanixDiskMonitor
Name : NutanixHostAgent
Get-WinEvent -ListProvider * | fl Name | findstr -i hyper
Name : Microsoft-Windows-Hyper-V-Config
Name : Microsoft-Windows-Hyper-V-EmulatedNic
Name : Microsoft-Windows-Hyper-V-Netvsc
Name : Microsoft-Windows-Hyper-V-Integration
Name : Microsoft-Windows-Hyper-V-Worker
Name : Microsoft-Windows-Hyper-V-Hypervisor
Name : Microsoft-Windows-Hyper-V-VID
Name : Microsoft-Windows-Hyper-V-SynthFcVdev
Name : Microsoft-Windows-Hyper-V-Integration-GuestInterface
Name : Microsoft-Windows-Hyper-V-VMMS
Name : Microsoft-Windows-Hyper-V-High-Availability
Name : Microsoft-Windows-Hyper-V-VmSwitch
Name : Microsoft-Windows-Hyper-V-Integration-VSS
Name : Microsoft-Windows-Hyper-V-Integration-KvpExchange
Name : Microsoft-Windows-Hyper-V-Shared-VHDX
Name : Microsoft-Windows-Hyper-V-Integration-Shutdown
Name : Microsoft-Windows-Hyper-V-SynthNic
Name : Microsoft-Windows-Hyper-V-SynthStor
Name : Microsoft-Windows-Hyper-V-Integration-TimeSync
Name : Microsoft-Windows-Hyper-V-Integration-RDV

Event Channel {Hyper-v}

  1. Hyper-V-Config:  This section is for anything that relates to virtual machine configuration files.  If you have a missing or corrupt virtual machine configuration file – there will be entries here that tell you all about it.
  2. Hyper-V-High-Availability This section tells you about actions and changes that happen because of Hyper-V clustering.
  3. Hyper-V-Hypervisor This section is used for hypervisor specific events.  You will usually only need to look here if the hypervisor fails to start – then you can get detailed information here.
  4. Hyper-V-Image-Management-Service This section is used by the image management service to log information about virtual hard disk operations – like creating, converting and editing virtual hard disks.  If you have problems creating or editing a virtual hard disk – look here.
  5. Hyper-V-Integration This section is used to log events that relate specifically to integration services.
  6. Hyper-V-Network:  This section is used for events relating to virtual networks.  You will see information about the creation and configuration of virtual networks here (as opposed to virtual network adapters).
  7. Hyper-V-SynthNic This is the section where information about virtual network adapters.  You will see entries in here each time a virtual machine with virtual network adapters powers up.  You will also see entries here if a virtual machine fails to power on because of a configuration issue with its network adapters.
  8. Hyper-V-SynthStor This section is to do with virtual hard disks that are associated with running virtual machines (it is the storage equivalent of the SynthNic section).
  9. Hyper-V-VMMS: — This section is where the virtual machine management services files its events.
  10. Hyper-V-Worker This section is used by the worker process that is used for the actual running of the virtual machine.

Get-WinEvent -ListLog * | findstr -i hyper

Circular             1052672           0 Microsoft-Windows-Hyper-V-Config-Admin

Circular             1052672           0 Microsoft-Windows-Hyper-V-Config-Operational

Circular             1052672           0 Microsoft-Windows-Hyper-V-EmulatedNic-Admin

Circular             1052672           0 Microsoft-Windows-Hyper-V-High-Availability-Admin

Circular             1052672           0 Microsoft-Windows-Hyper-V-Hypervisor-Admin

Circular             1052672           8 Microsoft-Windows-Hyper-V-Hypervisor-Operational

Circular             1052672          21 Microsoft-Windows-Hyper-V-Integration-Admin

Circular             1052672           2 Microsoft-Windows-Hyper-V-Shared-VHDX/Operational

Circular             1052672           0 Microsoft-Windows-Hyper-V-Shared-VHDX/Reservation

Circular             1052672           0 Microsoft-Windows-Hyper-V-SynthFc-Admin

Circular             1052672          28 Microsoft-Windows-Hyper-V-SynthNic-Admin

Circular             1052672           0 Microsoft-Windows-Hyper-V-SynthStor-Admin

Circular             1052672           0 Microsoft-Windows-Hyper-V-SynthStor-Operational

Circular             1052672           0 Microsoft-Windows-Hyper-V-VID-Admin

Circular             1052672          44 Microsoft-Windows-Hyper-V-VMMS-Admin

Circular             1052672          11 Microsoft-Windows-Hyper-V-VMMS-Networking

Circular             1052672           0 Microsoft-Windows-Hyper-V-VMMS-Operational

Circular             1052672           0 Microsoft-Windows-Hyper-V-VMMS-Storage

Circular             1052672           0 Microsoft-Windows-Hyper-V-VmSwitch-Operational
Circular             1052672          22 Microsoft-Windows-Hyper-V-Worker-Admin

Get-WinEvent -ListProvider * | fl Name | findstr -i failover
Name : Microsoft-Windows-FailoverClustering-WMIProvider

Name : Microsoft-Windows-FailoverClustering-Manager

Name : Microsoft-Windows-FailoverClustering-CsvFlt-Diagnostic

Name : Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic

Name : Microsoft-Windows-FailoverClustering-Client

Name : Microsoft-Windows-FailoverClustering

Event Channels {WFC}

FailoverClustering

      • Diagnostic. This is the main log that’s circular in nature and runs anytime the cluster service starts. Events can be read in the Event Viewer if logging is disabled. They can also be converted to text file format.
      • Operational. Any informational cluster events are registered in this log, such as groups moving, going online, or going offline.
      • Performance-CSV. This channel is used to collect information pertaining to the functionality of Cluster Shared Volumes (CSVs).

FailoverClustering-Client

      • Diagnostic. This channel collects Cluster API trace logging. This log can be useful in troubleshooting the Create Cluster and Add Node Cluster actions.

FailoverClustering-CsvFlt (new in Server 2012)

      • Diagnostic. This channel collects trace logging for the CSV Filter Driver (CsvFlt.sys) that is mounted only on the coordinator node for a CSV. This channel provides information regarding metadata operations and redirected I/O operations.

FailoverClustering-CsvFs (new in Server 2012)

      • Diagnostic. This channel collects trace logging for the CSV File System Driver (CsvFs.sys), which is mounted on all nodes in the cluster. This channel provides information regarding direct I/O operations.

FailoverClustering-Manager

      • Admin. This channel collects errors associated with dialog boxes and pop-up warnings that are displayed in Failover Cluster Manager.

FailoverClustering-WMIProvider

      • Admin. This channel collects events associated with the Failover Cluster WMI provider.
      • Diagnostic. This channel collects trace logging associated with the Failover Cluster WMI provider. It can be useful when troubleshooting Windows Management Instrumentation (WMI) scripts or Microsoft System Center applications.
 
Get-WinEvent -ListLog * | findstr -i cluster
Circular             1052672           0 Microsoft-Windows-ClusterAwareUpdating-Management/Admin

Circular             1052672           0 Microsoft-Windows-ClusterAwareUpdating/Admin

Circular             1052672           0 Microsoft-Windows-FailoverClustering-CsvFs/Operational

Circular             1052672        1540 Microsoft-Windows-FailoverClustering-Manager/Admin

Circular            52428800             Microsoft-Windows-FailoverClustering-Manager/Diagnostic

Circular           104857600             Microsoft-Windows-FailoverClustering-Manager/Tracing

Circular             1052672           0 Microsoft-Windows-FailoverClustering-WMIProvider/Admin

Circular           314572800           0 Microsoft-Windows-FailoverClustering/Diagnostic

Circular             1052672           0 Microsoft-Windows-FailoverClustering/Operational
May be following blog can be handy while trying to gather or browse through WFC related logs.


Get-WinEvent -ListProvider * | fl Name | findstr -i smb
Name : mrxsmb

Name : Microsoft-Windows-SMBWitnessClient

Name : Microsoft-Windows-SmbWmiProvider

Name : Microsoft-Windows-SMBClient

Name : Microsoft-Windows-SMBWitnessService

Name : Microsoft-Windows-SMBServer

Name : Microsoft-Windows-SMBDirect
 
Get-WinEvent -ListLog * | findstr -i smb
Circular             8388608         202 Microsoft-Windows-SmbClient/Connectivity

Circular             1052672           0 Microsoft-Windows-SMBClient/Operational

Circular             8388608           0 Microsoft-Windows-SmbClient/Security

Circular             1052672           0 Microsoft-Windows-SMBDirect/Admin

Circular             1052672           0 Microsoft-Windows-SMBServer/Connectivity

Circular             1052672         498 Microsoft-Windows-SMBServer/Operational

Circular             1052672           0 Microsoft-Windows-SMBServer/Security
 
Some helpful article  

For Example

Get-WinEvent -LogName Microsoft-Windows-Hyper-V-Worker-Admin | Findstr -i "Warning Error”  —> Warning or Error
Get-WinEvent -LogName Microsoft-Windows-Hyper-V-Worker-Admin | Findstr -i -v "Warning Error”  —>  Neither Warning nor Error
Get-WinEvent -LogName Microsoft-Windows-Hyper-V-Worker-Admin | Select-Object -First 100| Findstr -i -v Information   —Anything except Information.

In order to collect the HA Traces or all Event logs, please use following script, this will help in Enabling the diagnostic channel as well.

Usual logs needed while you start troubleshooting on hyper-v nodes. 

System, Application, and Cluster Operational Event Logs (Exported to CSV):

Get-Eventlog system | sort-object timegenerated | select-object timegenerated,entrytype,machinename,eventid,source,username,message | export-csv c:\diag\system.csv -notype

Get-Eventlog application | sort-object timegenerated | select-object timegenerated,entrytype,machinename,eventid,source,username,message | export-csv   c:\diag\application.csv -notype

Hyper-v & other cluster logs

Get-winevent -logname microsoft-windows-failoverclustering/operational | sort-object timeCreated | select-object timecreated, machinename, id, ContainerLog, LevelDisplayName, userid, message | export-csv c:\diag\failoverclustering-operational.csv -notype

Get-winevent -logname microsoft-windows-Hyper-V-VMMS-ADMIN | sort-object timeCreated | select-object timecreated, machinename, id, ContainerLog, LevelDisplayName, userid, message | export-csv c:\diag\Hyper-V-VMMS-ADMIN.csv -notype

Get-winevent -logname microsoft-windows-Hyper-V-VMMS-operational | sort-object timeCreated | select-object timecreated, machinename, id, ContainerLog, LevelDisplayName, userid, message | export-csv c:\diag\Hyper-V-VMMS-operational.csv -notype

Get-winevent -logname microsoft-windows-Hyper-V-Worker-ADMIN | sort-object timeCreated | select-object timecreated, machinename, id, ContainerLog, LevelDisplayName, userid, message | export-csv c:\diag\Hyper-V-Worker-Admin.csv -notype

List of installed Windows Updates and Hotfixes:

wmic qfe list brief /format:texttablewsys >c:\diag\hotfix.txt

List of filter drivers:

fltmc >c:\diag\fltmc.txt
fltmc instances >>c:\diag\fltmc.txt

System Information:

msinfo32 /nfo c:\diag\msinfo32.nfo
or 
systeminfo > c:\diag\systeminfo.txt

Applications and Services logs ->Microsoft->Windows

Failover Clustering logs
Hyper-V worker logs
Hyper-V VMMs logs
Hyper-V logs
SMB-Client logs

Powershell event logs: We can run powershell commands to view the logs from CLI.

Hyper-v logs 
Get-WinEvent -FilterHashTable @{LogName ="Microsoft-Windows-Hyper-V*"}
Get-WinEvent -FilterHashTable @{LogName ="Microsoft-Windows-Hyper-V*";StartTime=(Get-Date).AddDays(-1); Level=1}
or 
Get-WinEvent -FilterHashTable @{LogName ="Microsoft-Windows-Hyper-V*";StartTime="___";EndTime="___"}

FailoverClustering
Get-WinEvent -FilterHashTable @{LogName ="Microsoft-Windows-FailoverClustering*"}
Get-WinEvent -FilterHashTable @{LogName ="Microsoft-Windows-FailoverClustering*";StartTime=(Get-Date).AddDays(-1);Level=1}
or
Get-WinEvent -FilterHashTable @{LogName ="Microsoft-Windows-FailoverClustering*";StartTime="___";EndTime="___"}

SMB
Get-WinEvent -FilterHashTable @{LogName ="Microsoft-Windows-SmbClient*}
Get-WinEvent -FilterHashTable @{LogName ="Microsoft-Windows-SmbClient*";StartTime=(Get-Date).AddDays(-1);Level=1}
or 
Get-WinEvent -FilterHashTable @{LogName ="Microsoft-Windows-SmbClient*";StartTime="___";EndTime="___"}

starttime, endtime are of Date format in powershell. We have few ways of providing the values for these fields.
(Get-Date).AddDays(-2) would be 2 days(48 hrs) old from the current moment.
(Get-Date).AddHours(-2) would be 2 hours old from current moment.
Get-Date -Day 2 -Hour 12 would mean it will get the current date and change the Date to 2nd, and hour to 12.

Get-WinEvent -FilterHashTable @{LogName ="Microsoft-Windows-Hyper-V*"; StartTime = (Get-Date).AddDays(-2); Level = 2,3}

providername is the type of log we need. As mentioned in Event viewer, we can look for Failover Clustering, Hyper-V Worker logs, VMMs logs etc."*" means all providers

level points to the type of log

1 - Critical
2 - Error
3 - Warnings
4 - Info
if not provided, it means all logs.

I’ll keep trying to figure out other methods to try to improve log collection process.
Use PowerShell Cmdlet to Filter Event Log for Easy Parsing
https://blogs.technet.microsoft.com/heyscriptingguy/2011/01/24/use-powershell-cmdlet-to-filter-event-log-for-easy-parsing/

Advertisements