Read selected events from the event log

I am new to powershell and need some help. I am creating a script to be run as a scheduled task at startup to look for event log entries of unexpected shutdown. I am only interested in the events that occured within the last hour of startup. If an event is found, an email is sent to the helpdesk. The script I created works if an entry exists but errors if it does not. It fails because nothing is found to assign to the variable. How can I handle that situation?

$UnexpectedReboot=Get-EventLog -LogName System -EntryType Error -Source EventLog -After (Get-Date).AddHours(-1) -Newest 1
Send-MailMessage -To Helpdesk@company.com -From "UnexpectedShutdown@company.com" -SmtpServer mailserver.company.com -Subject "Unexpected shutdown: $env:COMPUTERNAME" -Body $UnexpectedReboot.Message

The error is:

Get-EventLog : No matches found
At line:1 char:19

  • $UnexpectedReboot=Get-EventLog -LogName System -EntryType Error -Source EventLog …
  • CategoryInfo : ObjectNotFound: (:slight_smile: [Get-EventLog], ArgumentException
  • FullyQualifiedErrorId : GetEventLogNoEntriesFound,Microsoft.PowerShell.Commands.GetEventLogCommand

It depends on what you’d like to do. You could add -ErrorAction SilentlyContinue to the command, which will suppress the error. You could then check and see if $UnexpectedReboot was empty or not. That’ll probably be difficult to do in a one-liner; this would be easier for you if you broke these commands out into a short script.

An alternative would be to add -ErrorAction Stop to your Get-EventLog call and enclose the scriptlet in a Try/Catch block. Since you want to ignore the case where no unexpected reboot occurred, the catch block can be empty.

Thank you, Don and Art. I tried Stop first since it was the shorter solution and I believe in KISS. But it still returned an error. I don’t like errors even if they don’t affect he result. SilentlyContinue did not return a error. I solved the problem of $UnexpectedReboot being empty with an If statement. Here is my solution:

$UnexpectedReboot=Get-EventLog -LogName System -EntryType Error -Source EventLog -After (Get-Date).AddHours(-1) -Newest 1 -ErrorAction SilentlyContinue
If ($UnexpectedReboot -ne $null) {Send-MailMessage -To Helpdesk@company.com -From “UnexpectedShutdown@company.com” -SmtpServer mailserver.company.com -Subject “Unexpected shutdown: $env:COMPUTERNAME” -Body $UnexpectedReboot.Message}

Don, since I am new to PowerShell I am going to try to break this out into a short script for practice and exerience.

This was a good problem for me. I learned something!

Two things pop for me right away:

If ($UnexpectedReboot -ne $Null)

can be replaced with

if ($Unexpectedreboot)

The second option will always return true if the variable has a value other than false. Â If it’s empty then it won’t go through.

 

The other thing is are you sure that you’re getting the right event log information? Â it might be better to look for a particular event ID. Â Right now you’re just pulling any error in the system log that happened within the hour before the script was run.

Don, I wrote it as a script. It makes it a lot more readable. Thank you for the suggestion.