Merge pull request #2116 from microsoft/dpaul-HcEventLogInfo

Check oldest log date entry to throw a warning
microsoft · Jul 29, 2024 · 82016e7 · 82016e7
2 parents e7e6295 + bfdb505
commit 82016e7
Show file tree

Hide file tree

Showing 17 changed files with 2,852 additions and 0 deletions.
diff --git a/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerOsInformation.ps1 b/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerOsInformation.ps1
@@ -482,4 +482,23 @@ function Invoke-AnalyzerOsInformation {
         Write-Verbose "No Windows Features where collected. Unable to process."
     }
     # cSpell:enable
+
+    if ($null -ne $osInformation.EventLogInformation) {
+        $days = 7
+        $testDate = (Get-Date).AddDays(-$days)
+        foreach ($logType in $osInformation.EventLogInformation.Keys) {
+            $logInfo = $osInformation.EventLogInformation[$logType]
+            # If the log isn't at the max limit, it is possible that they just cleared the logs or on a new server. This should be rare scenario.
+            if ($logInfo.LastLogEntry -gt $testDate -and
+                $logInfo.FileSize -ge $logInfo.MaxSize) {
+                $params = $baseParams + @{
+                    Name             = "Event Log - $logType"
+                    Details          = "--ERROR-- Not enough logs to cover $days days. Last log entry is at $($logInfo.LastLogEntry)." +
+                    " This could cause issues with determining Root Cause Analysis."
+                    DisplayWriteType = "Red"
+                }
+                Add-AnalyzedResultInformation @params
+            }
+        }
+    }
 }
diff --git a/Diagnostics/HealthChecker/DataCollection/ServerInformation/Get-EventLogInformation.ps1 b/Diagnostics/HealthChecker/DataCollection/ServerInformation/Get-EventLogInformation.ps1
@@ -0,0 +1,39 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+. $PSScriptRoot\..\..\..\..\Shared\Invoke-ScriptBlockHandler.ps1
+function Get-EventLogInformation {
+    [CmdletBinding()]
+    [OutputType("System.Collections.Hashtable")]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$Server,
+        [ScriptBlock]$CatchActionFunction
+    )
+    process {
+        function GetRemoteEventLogInformation {
+            $results = @{}
+            foreach ($log in @("Application", "System")) {
+                $lastLogEntry = Get-WinEvent -LogName $log -Oldest -MaxEvents 1
+                $listLog = Get-WinEvent -ListLog $log
+                $results.Add($log, ([PSCustomObject]@{
+                            LastLogEntry = $lastLogEntry.TimeCreated
+                            MaxSize      = $listLog.MaximumSizeInBytes
+                            FileSize     = $listLog.FileSize
+                            LogMode      = $listLog.LogMode.ToString()
+                            IsEnabled    = $listLog.IsEnabled
+                            LogFilePath  = $listLog.LogFilePath
+                        }))
+            }
+
+            return $results
+        }
+        Write-Verbose "Calling: $($MyInvocation.MyCommand)"
+        $params = @{
+            ComputerName        = $Server
+            ScriptBlock         = ${Function:GetRemoteEventLogInformation}
+            CatchActionFunction = $CatchActionFunction
+        }
+        return (Invoke-ScriptBlockHandler @params)
+    }
+}
diff --git a/...nostics/HealthChecker/DataCollection/ServerInformation/Get-OperatingSystemInformation.ps1 b/...nostics/HealthChecker/DataCollection/ServerInformation/Get-OperatingSystemInformation.ps1
@@ -5,6 +5,7 @@
 . $PSScriptRoot\..\..\..\..\Shared\VisualCRedistributableVersionFunctions.ps1
 . $PSScriptRoot\..\..\..\..\Shared\TLS\Get-AllTlsSettings.ps1
 . $PSScriptRoot\..\..\..\..\Shared\Get-AllNicInformation.ps1
+. $PSScriptRoot\Get-EventLogInformation.ps1
 . $PSScriptRoot\Get-NETFrameworkInformation.ps1
 . $PSScriptRoot\Get-NetworkingInformation.ps1
 . $PSScriptRoot\Get-OperatingSystemBuildInformation.ps1
@@ -72,6 +73,7 @@ function Get-OperatingSystemInformation {
         $vcRedistributable = Get-VisualCRedistributableInstalledVersion -ComputerName $Server -CatchActionFunction ${Function:Invoke-CatchActions}
         $smb1ServerSettings = Get-Smb1ServerSettings -ServerName $Server -GetWindowsFeature $windowsFeature -CatchActionFunction ${Function:Invoke-CatchActions}
         $registryValues = Get-OperatingSystemRegistryValues -MachineName $Server -CatchActionFunction ${Function:Invoke-CatchActions}
+        $eventLogInformation = Get-EventLogInformation -Server $Server -CatchActionFunction ${Function:Invoke-CatchActions}
         $netFrameworkInformation = Get-NETFrameworkInformation -Server $Server
     } end {
         Write-Verbose "Exiting: $($MyInvocation.MyCommand)"
@@ -91,6 +93,7 @@ function Get-OperatingSystemInformation {
             NETFramework               = $netFrameworkInformation
             CredentialGuardCimInstance = $credentialGuardCimInstance
             WindowsFeature             = $windowsFeature
+            EventLogInformation        = $eventLogInformation
         }
     }
 }