0

Breaking my brian here trying to figure out why this won't pull events from the event log?

I am seeing the event in the event log with the message "The backup operation has completed."

The Event ID is: 14 located under Log Name: Microsoft-Windows-Backup/Operational

$PastHours = 24

$StartAt = (Get-Date).AddHours(-$PastHours)
$ErrorActionPreference = "SilentlyContinue"

$FilterHashTable = @{
    logname   = "Microsoft-Windows-Backup/Operational"
    id        = 14
    StartTime = $StartAt
}

$actions = (Get-WinEvent -FilterHashtable $FilterHashTable | 
    Where-Object {($_.Message -like "*operation*")})

if ($actions){
    ForEach($action in $actions){
        $Result = "OK: Windows Backup Completed Successfully"
        Write-Host $Result
        Exit 0
    }
}
elseif ($action.count -eq "0") {
    $Result = "CRITICAL: Windows Backup has not run in past $PastHours hours "
    Write-Host $Result
    Exit 2
}
else {
    $Result = "CRITICAL: Windows Backup has not run in past $PastHours hours "
    Write-Host $Result
    Exit 2
}

I run the script and confirm that every time that $action.count is 0.. The event is present and was run last at 8/8/2018 2:12 PM

Any suggestions?

Improve this question
7
  • Can you list $actions and see if anything is there? If not, remove Where-Object and verify if that helps. At least you'll know what to troubleshoot. Commented Aug 9, 2018 at 14:37
  • Also, you might want to use $actions.count (plural) Commented Aug 9, 2018 at 14:43
  • I removed the Where-Object but still did not find the task. $actions is null - I think when I try and print it. Commented Aug 9, 2018 at 14:44
  • It works for me (don't have Windows Backup so I had to use another log) so I don't think I'll be able to help more. Just to confirm - are you running the script on the same machine you checked the logs? Commented Aug 9, 2018 at 14:49
  • yes, are you using the same script I posted and it worked? Commented Aug 9, 2018 at 14:56

1 Answer 1

Reset to default
1

Thanks Jacob, you're right.

It's working now using:

Param(
    [string]$PastHours
)

$StartAt = (Get-Date).AddHours(-$PastHours)
$ErrorActionPreference = "SilentlyContinue"

$FilterHashTable = @{
    logname   = "Microsoft-Windows-Backup"
    id        = 4
    StartTime = $StartAt
}

$actions = (Get-WinEvent -FilterHashtable $FilterHashTable | 
    Where-Object {($_.Message -like "*successfully*")})

if ($actions){
    ForEach($action in $actions){
        $Result = "OK: Windows Backup Completed Successfully at {1} " -F $Task,$action.TimeCreated
        Write-Host $Result
        Exit 0
    }
}
elseif ($action.count -eq "0") {
    $Result = "CRITICAL: Windows Backup has not run in past $PastHours hours"
    Write-Host $Result
    Exit 2
}
else {
    $Result = "CRITICAL: Windows Backup has not run in past $PastHours hours"
    Write-Host $Result
    Exit 2
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.