Since switching my focus to the cloud, I’ve been doing more and more pure CLI management of Windows. One of the tedious tasks for Windows administrators from the console is accessing the Windows Event Log. These are not simple text files like on Linux, so you have to use a special PowerShell CMDLet to retrieve them.
Because of the frequency with which this needs to be done, one of the biggest challenges is keeping track of event logs while waiting for results.
When tracking text logs, simply use Get-Content logfilename -wait
To emulate Linux commands tail -f logfilename
So I looked for what I thought I could find quickly, but everything I found was very long and complicated. So I created a new one-liner that follows these principles: mission impossible coding.
Using only the PowerShell console to manage Windows impacts a growing number of Windows deployment scenarios.
- Server Core – GUI not available.
- Windows Containers – No GUI available.
- Use a Cloud Shell such as AWS SSM Session Manager, Azure Cloud Shell, or Google Cloud Shell.
- PowerShell remoting.
- Remote development of VS Code.
In all of these situations, tracking the various Windows event logs is an essential feature for development debugging and operational troubleshooting.
Most existing approaches use message indexes that must be retrieved by calling an API and keep track of the last index retrieved. This means lots of multi-line functions and full-fledged CMDLets, rather than one-liners.
For my purposes, I realized that very old log lines are not important, even if it’s the last 5 lines received, just the most recent within the time period I was interested in.
So we wondered if we could use time instead of the message index for a particular log.
It turns out I could use some time. Instead of looking back a certain number of index entries when you first load it, you go back a certain number of minutes.
This greatly condenses the code down to a reasonable one-liner.
Why care about one-liners? I was testing the Ultimate AWS ASG Lab Kit, which is a termination lifecycle hook. Every time you run a test, run it on the temporary instance you just started and actually issue the exit command to make sure your code works. Therefore, installing modules or using huge amounts of code for simple functionality is a pain no matter how tedious it is.
Many people who work on CLI-only Windows (whether using remote shells, cloud shells, or containers) assume that they understand the power of one-liners in these situations. Masu.
The code is below, but a brief explanation is as follows:
- We define this as a function because it has few extra characters and can be used again (although we provide a list without functions below).
- By default, it looks at the last 5 minutes (set $lastdate).
- Set loop until CTRL-C is pressed
- Set $newtime (Get-Time cannot be used dynamically, otherwise you risk losing events during the loop)
- List what happened during that time.
- set $lasttime=$newtime
- Loop again.
enjoy!
The following command emulates this command on Linux.
tail -f /var/log/messages
PowerShell Oneliner with functions (you can configure which logs and how many minutes back to go by initial output and computer name):
Function Tail ($logspec="Application",$pastmins=5,$computer=$env:computername) $lastdate=$(Get-date).addminutes(-$pastmins);while ($True) Sort-Object TimeCreated;$lastdate=$newdate;start-sleep -milliseconds 330; Tail
1) Application logs, 2) 5 minute lookbacks, and 3) a small PowerShell Oneliner hard-coded for local machines only. (At 243 characters, it’s 116 characters (30%) shorter than the 360 character one-liner above):
$lastdate=$(Get-date).addminutes(-5);while ($True) ? $_.TimeCreated -ge $lastdate -AND $_.TimeCreated -le $newdate
PS This post is included in the Mission Impossible Codes series for the following reasons:
- The solution is very simple.
- Using date and eventlog indexes seems to be a new approach (enables much shorter code than using indexes).
- It is practical, efficient and serves immediate needs.
- As a one-liner, it can be easily deployed on temporary test machines.
- It has enough features to be used as a complete solution for log tailing.
- Supports remote computers.