Nano Server: Viewing Application, Security and System Event Logs using WMI
https://msdnshared.blob.core.windows.net/media/2016/08/0841.NinjaAwardTinySilver.pngSilver Award Winner
1. Introduction
Many have asked about how to manage a Nano Server or a farm full of Nano Servers in a datacenter. Let's start with Basic System Administration 101 on viewing the events recorded in Event Logs. The focus of this article is to manage the Event Logs using Windows Management Instrumentation (WMI) since it is most commonly used for managing large environment.
2. Getting Started with Nano Server Firewall Rules for WMI
With Windows Server 2016 Nano Server Technical Preview 4, Microsoft has included the Firewall management on the Nano Server Recovery Console and let us hope that it is kept this way till Windows Server 2016 RTM.
What if Microsoft removed Firewall management from Nano Server Recovery Console? Since the release of Nano Server TP3, as long as you can login connect remotely using Enter-PSSession PowerShell Cmdlet to manage the Nano Server, you will still be able to use Enable-NetFirewallRule PowerShell Cmdlet to manage your Nano Server firewall rules.
2.1. How to configure Windows Firewall in Nano Server TP4?
- Login to the Nano Server locally
- Select TAB > Down Key
- Select Enter Key on Firewall
- Select Up or Down Key to scroll the Firewall Rules
2.2. How to allow Windows Management Instrumentation traffic on Windows Firewall in Nano Server?
Once you can view a list of Firewall Rules within the Nano Server Recovery Console, navigate UP/DOWN to the following Firewall Rules below;
- Select Windows Management Instrumentation (DCOM-In)
- Enable this Firewall Rule by selecting F4 to toggle Enable or Disable Firewall Rule
- Select Windows Management Instrumentation (WMI-In)
- Enable this Firewall Rule by selecting F4 to toggle Enable or Disable Firewall Rule
- Select Windows Management Instrumentation (WMI-Out)
- Enable this Firewall Rule by selecting F4 to toggle Enable or Disable Firewall Rule
- Test your Windows Management Instrumentation (WMI) connectivity with your Nano Server in the Workgroup.
3. Getting Started with Windows Management Instrumentation (WMI)
Once you have verified that Get-WMIObject PowerShell Cmdlet actually can establish connectivity to the Nano Server remotely, we can begin to query the Nano Server's event logs.
3.1. How to list available Event Log files from Nano Server TP4?
- Launch PowerShell with elevated privileges
- Input the command below;
# Get a list of available Event Log files
Get-WmiObject -ComputerName 192.168.100.28 `
-Class Win32_NTEventLogFile `
-Credential (New-Object `
-TypeName System.Management.Automation.PSCredential `
-ArgumentList "192.168.100.28\Administrator", `
(ConvertTo-SecureString `
-String "Password" `
-AsPlainText `
-Force) `
) ;
3.2. How to get last 30 days of Application Event Log from Nano Server TP4?
- Launch PowerShell with elevated privileges
- Input the command below;
# Get last 30 days of Application events
Get-WmiObject -ComputerName 192.168.100.28 `
-Class Win32_NTLogEvent `
-Filter ("(logfile='Application' " `
+ "AND (TimeWritten >'$([System.Management.ManagementDateTimeConverter]::ToDMTFDateTime((get-date).AddDays(-30)))'))") `
-Credential (New-Object `
-TypeName System.Management.Automation.PSCredential `
-ArgumentList "192.168.100.28\Administrator", `
(ConvertTo-SecureString `
-String "Password" `
-AsPlainText `
-Force) `
) ;
3.3. How to get last 30 days of Security Event Log from Nano Server TP4?
- Launch PowerShell with elevated privileges
- Input the command below;
# Get last 30 days of Security events
Get-WmiObject -ComputerName 192.168.100.28 `
-Class Win32_NTLogEvent `
-Filter ("(logfile='Security' " `
+ "AND (TimeWritten >'$([System.Management.ManagementDateTimeConverter]::ToDMTFDateTime((get-date).AddDays(-30)))'))") `
-Credential (New-Object `
-TypeName System.Management.Automation.PSCredential `
-ArgumentList "192.168.100.28\Administrator", `
(ConvertTo-SecureString `
-String "Password" `
-AsPlainText `
-Force) `
) ;
3.4. How to get last 30 days of System Event Log from Nano Server TP4?
- Launch PowerShell with elevated privileges
- Input the command below;
# Get last 30 days of System events
Get-WmiObject -ComputerName 192.168.100.28 `
-Class Win32_NTLogEvent `
-Filter ("(logfile='System' " `
+ "AND (TimeWritten >'$([System.Management.ManagementDateTimeConverter]::ToDMTFDateTime((Get-Date).AddDays(-30)))'))") `
-Credential (New-Object `
-TypeName System.Management.Automation.PSCredential `
-ArgumentList "192.168.100.28\Administrator", `
(ConvertTo-SecureString `
-String "Password" `
-AsPlainText `
-Force) `
) ;
3.5. How to backup Event Log on Nano Server TP4?
Let us take a look at the Nano Server C:\ Drive content prior to initiate a backup of the Event Log file locally.
Launch PowerShell with elevated privileges
Input the command below;
# Backup Security Event Log file from Nano Server TP4 (IP Address = 192.168.100.28) to Local Host
(Get-WmiObject -ComputerName 192.168.100.28 `
-Class Win32_NTEventLogFile `
-Filter "(logfilename = 'Security')" `
-Credential (New-Object `
-TypeName System.Management.Automation.PSCredential `
-ArgumentList "192.168.100.28\Administrator", `
(ConvertTo-SecureString `
-String "Password" `
-AsPlainText `
-Force) `
)).BackupEventLog("C:\NanoServer-192-168-100-28-Security-EventLog.evtx") ;
Check that the Event Log is being backup locally at the specified path within the Nano Server locally.
3.6. How to clear Event Log on Nano Server TP4?
Launch PowerShell with elevated privileges
Input the command below;
# Clear Security Event Log file from Nano Server TP4 (IP Address = 192.168.100.28)
(Get-WmiObject -ComputerName 192.168.100.28 `
-Class Win32_NTEventLogFile `
-Filter "(logfilename = 'Security')" `
-Credential (New-Object `
-TypeName System.Management.Automation.PSCredential `
-ArgumentList "192.168.100.28\Administrator", `
(ConvertTo-SecureString `
-String "Password" `
-AsPlainText `
-Force) `
)).ClearEventLog() ;
Check that the Event Log is cleared
4. Alternatives
There is another alternative in managing Event Log file in a Nano Server and below is a demostration of WevtUtil resizing the Seucirty Event Log maximum log file size.
4.1. How to resize the Security Event Log maximum size on Nano Server?
Launch PowerShell with elevated privileges
Connect to Nano Server using Enter-PSSession PowerShell Cmdlet
Resize the Security Event Log maximum file size by inputting the command below;
# Increase the Security Event Log File Size
wevtutil sl Security /ms:4194240
Check the Security Event Log maximum file size using Get-WmiObject PowerShell Cmdlet
5. References
- Microsoft Developer Network - About WMI
- Microsoft Developer Network - Win32_NTEventlogFile class
- Microsoft Developer Network - Win32_NTLogEvent class
- Microsoft TechNet - Get-WmiObject
- Microsoft TechNet - Enter-PSSession
- Microsoft TechNet - Wevtutil
- Microsoft Virtual Academy - A Deep Dive into Nano Server
- Microsoft TechNet Blog - Introducing the Nano Server Recovery Console by Derk Benisch [MSFT]
- Microsoft TechNet Blog - How to setup Nano Server to send diagnostic messages off-box for remote analysis by Derk Benisch [MSFT]
6. See Also
- Nano Server Survival Guide by Ryen Tang
- Microsoft Azure: Managing Nano Server with Server Management Tools by Ryen Tang
- Microsoft Azure: Deploying Windows Server 2016 Nano Server by Ryen Tang
- Windows Nano Server: Virtualization with VMware vSphere by Ryen Tang
- Nano Server: Getting Started with Image Builder by Ryen Tang
- Nano Server: Using New-NanoServerImage with Show-Command to deploy Nano Server by Ryen Tang
- Nano Server: Deploying an Internet Information Services (IIS) Web Server by Ryen Tang
- Nano Server: Deploying ASP.NET 5 site on Internet Information Services (IIS) Web Server by Ryen Tang
- Nano Server: Deploying PHP 7.0.6 on Internet Information Services (IIS) Web Server by Ryen Tang
- Nano Server: Deploying MySQL Database Server by Ryen Tang
- Nano Server: Deploying Python 3.x interpreter by Ryen Tang
- Nano Server: Getting Started in Container with Docker by Ryen Tang