Month: September 2024

Posted on

Log-Rotate

On Linux, there is the logrotate command, which will very nicely take a text file and, based on parameters, “rotate” the file. This is, obviously, very nice for breaking up log files into workable chunks and retaining some backlog of these logs for a set amount of time. Unfortunately, this sort of thing doesn’t exist natively for Windows.

Fortunately, someone made a powershell module that just… does this. Like, literally, just does this but in Windows. However, the documentation is kind of confusing because it kind of works like a powershell commandlet, but then relies on the documentation of the Linux command above, which is kind of confusing. So, let me throw down here what I’ve done to try and fill in some gaps for those of us having some trouble jumping that gap.

First thing’s first, you’ll need to install the module. Once done, you’ll be able to run log-rotate -config <Config File Location> -state <State File Location>. The config file location and state file location will point to a config and state file, which I’ve personally named logrotate.conf and logrotate.status. This is the only thing we need in Powershell.

Now the magic sauce: the config file. I’m going to put an example below, then we can talk some more about what’s going on in here. 

# Defaults 
daily
size 100M
missingok
rotate 7
create
extension .txt
ifempty
olddir .\Log Archive

# Specific Settings
C:\Logs\Job1Log.txt {
}

C:\Job2Logs\*.txt {
extension .log
monthly
}

C:\Job3Logs {
size 500M
}

The top section is settings that will be applied to all of the log files you are trying to rotate. Below that, you’ll see sections for whch individual files, folders, and wildcard-defined files and folders log-rotate will interact with when run. Log-rotate doesn’t run in the directory you’re running you shell in, it’ll run against these configured directories. Within those brackets, further settings can be set that will override the “defaults” set above. You can check the logrotate page for explanations and definitions of what these settings do, but I’ll call out a few things that needed some further explaining from the documentation.

  • olddir doesn’t need quotation marks for folders with spaces. It will use a relative path, so in the first case, C:\Logs\Job1Log.txt will be rotated to C:\Logs\Log Archive\Job1log.1.txt.
  • extension needs the period before the extension. Note here that I’ve defined this in the “defaults” section as .txt. Remember that every time log-rotate runs, it will check for files that match, and then rotate them to include .txt at the end. This is useful to make it easier to open rotated files with your default reader, but remember that log.txt will be rotated to log.txt and log.1.txt, which means the next time log-rotate runs, both log.txt and log.1.txt will get rotated, resulting in log.txt, log.1.txt, and log.1.1.txt which is not desired. I’ve specified an olddir folder to move older files into to help avoid this issue.

Finally, the state file can be basically left alone unless you need to reset things. It is just used to keep track of the state of your log files so that the next time log-rotate is run, it’ll know how old the files are, for example.

Posted on

Task Scheduler Error Alerting

One of the worst things about Task Scheduler is not knowing when tasks fail. Well, as it it turns out, you can have Task Scheduler take actions, like run a powershell script to email you, when triggered by certain events in the event viewer. By default, you can get it to trigger on very generic things like Success and Failure based on Event ID. But what if you want to trigger based on Result Codes? That’s a bit tougher because that’s all in the XML view, and not part of what Event Viewer actually knows how to work with. Thankfully, you can build an XML query manually.

So! In my example use case, I am running a batch file. When it succeeds without issues, it’ll give event id 201 and result code 0, but when it fails, it could fail with a bunch of different codes, including 2147942401 and 2147942402. Well, I don’t really care how it failed, just that it did, so I want to be alerted when event id 201 has anything in the result code that isn’t 0.

Go ahead and make a New Task. Begin the Task “On an event”. Click the “Custom” radio button. Edit the Event Filter and go to the XML tab. Make sure the “Edit query manually” checkbox is checked. Then, include the following:

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-TaskScheduler/Operational">
    <Select Path="Microsoft-Windows-TaskScheduler/Operational">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=201)]]</Select>
    <Suppress Path="Microsoft-Windows-TaskScheduler/Operational">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=201)]] and *[EventData[Data[@Name='ResultCode'] and (Data="0")]]</Suppress>
  </Query>
</QueryList>

Let’s walk through this and break it down a bit.

<Query Id="0" Path="Microsoft-Windows-TaskScheduler/Operational">

Just points to the path in Event Viewer. You can cheat this by using the Filter tab to fill out everything it allows you to before switching to the XML tab and editing the query manually. You won’t be able to switch back and forth, though, once you’ve started editing. 

<Select Path="Microsoft-Windows-TaskScheduler/Operational">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=201)]]</Select>

This says to get all events that have Event ID 201 and match all of those different alert levels (I just chose all of them). “But wait!” I hear you saying “I want to be more selective about the result code, don’t I?” Yup, which is why:

<Suppress Path="Microsoft-Windows-TaskScheduler/Operational">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=201)]] and *[EventData[Data[@Name='ResultCode'] and (Data="0")]]</Suppress>

This means “Don’t tell me about anything with Result Code 0.” Anything else means something happened and I need to go fix something.

So, “Tell me about every Event ID 201 event, unless it has Result Code 0.” Simple.