ControlUp is a tool we use to monitor our Citrix environment. We have multiple people and multiple times actions are run via ControlUp and an easier way to review the actions would be nice. ControlUp keeps all machine actions executed by them on the local machine’s event log. To review these logs I decided, what better way than to use ControlUp!
The Script Based Action (SBA):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
<# .SYNOPSIS This script will return logging information about any ControlUp actions. .DESCRIPTION This script is a (minor) modification of David Falkus's original script for getting AppV events. He documented everything that went into making this work here: https://blogs.technet.microsoft.com/virtualshell/2016/08/25/app-v-5-troubleshooting-the-client-using-the-event-logs/ This script takes two arguments. $args[0] is a computer name $args[1] is GUI for a GUI or TEXT for text ouput. $args[2] is how far back in time to check for events (in hours). No argument is all events. AUTHOR: Trentent Tye, David Falkus LASTEDIT: 01/26/2017 VERSI0N : 1.0 #> # Adding threading culture change so that get-winevent picks up the messages, if PS culture is set to none en-US then the script will fail [System.Threading.Thread]::CurrentThread.CurrentCulture = New-Object "System.Globalization.CultureInfo" "en-US" if ($args[2]) { #convert time into milliseconds $time = [int]$args[2]*1000*60*60 $FilterXML = @" <QueryList> <Query Id="0" Path="Application"> <Select Path="Application"> *[System[Provider[@Name='ControlUp action auditing'] and TimeCreated[timediff(@SystemTime) <= $($time)]]] </Select> </Query> </QueryList> "@ } else { $FilterXML = @" <QueryList> <Query Id="0" Path="Application"> <Select Path="Application">*[System[Provider[@Name='ControlUp action auditing']]]</Select> </Query> </QueryList> "@ } Try { $GWE_All = Get-WinEvent -FilterXml $FilterXML -ComputerName $args[0] -ErrorAction SilentlyContinue } Catch { # capture any failure and display it in the error section, then end the script with a return # code of 1 so that CU sees that it was not successful. Write-Error "Unable to connect remotely to server to pull the event log" -ErrorAction Continue Write-Error $Error[1] -ErrorAction Continue Exit 1 } #create a new object because previous events may not be defined if this is a non-persistent system #the event contains all the data but without it defined on the server the message property maybe blank $Events = @() foreach ($event in $GWE_All) { [xml]$eventXML = $event.ToXML() $prop = New-Object System.Object $prop | Add-Member -type NoteProperty -name TimeCreated -value ([datetime]$eventXML.Event.System.TimeCreated.SystemTime) $prop | Add-Member -type NoteProperty -name Message -value $eventXML.Event.EventData.Data $Events += $prop } $Events = $Events | sort TimeCreated -Descending ################# # Out-GridView ################# if ($args[1] -eq "GUI") { $Events | select TimeCreated,Message | Out-GridView -Title $args[0] -Wait } if ($args[1] -eq "TEXT") { $Events | select TimeCreated,Message |fl } |
And the steps to create the SBA:
- Create a new SBA and name it “ControlUp Action Auditing” and click ‘Next’
- Set the ‘Assigned to:’ “Computer” and ‘Execution Context:’ as “ControlUp Console”
- Add the script and set the ‘Execution Timeout (seconds)’ to whatever will satisfy querying your remote systems (I set mine to 120).
- Setup the variables
$args[0] = ‘Name’ property
$args[1]:
(note the “pipe” symbol in the ‘Input Validation string’
$args[2]: - Save and Finalize the SBA. And now it in action: