Microsoft Virtualization Discussions

Question about get-nasystemlog -auditlog


So, i needed to pull some information from the auditlog, so I wanted to put my powershell to work..

So, I queried something very simple...

get-nasystemlog -auditlog -starttime 5/21/2012 | ? {$_.value -like "*resize*"}

TimeStampDT        Source       Severity Keyword  Target           Value
-----------        ------       -------- -------  ------           -----
5/21/2012 8:09:10 AM   filer   debugIN   rsh shell       

RSH INPUT COMMAND is priv set -q admin ; lun resize -f "/vol/vol1/qtlun/lun0" 500G ; result -l

But to my surprise, it didn't return any username data.   I had to query the audit log directly with powershell to gather what I was looking for..

I did something like

gc auditlog | % {

(if $_ -like "*resize*" -or $_ -like "*reservation*")

Write-host $_

out-file -inputobject $_ -filepath c:\log.log -append



I'm just curious why i can't pull the usernames from the audit log with native cmdlets...



I think what you are looking for is in the "EventSource" field:

Get-NaSystemLog -AuditLog -StartTime (Get-Date).AddHours(-2) | where { $_.Value -like "*resize*" } | select TimeStampDT, Severity, EventSource, Value

TimeStampDT                   Severity                      EventSource                   Value

-----------                   --------                      -----------                   -----

5/21/2012 4:27:55 PM          debug                         root                          vol resize



Yup beam, that's it.. damn, I shoulda dug through the properties deeper with get-member..

So.. Now, let's say I want to edit the default output of the cmdlet.   Is that even advisable? 


Now, let's say I want to edit the default output of the cmdlet.   Is that even advisable? 

Not sure what you mean.  You can use Add-Member to add additional fields to the objects emitted by Get-NaSystemLog.  Or you can change the values directly (they're just properties), but I'm not sure why you'd need to do that.  You can provide a custom format for the data.  Essentially, you can't change how the cmdlet works, but you can manipulate and display its output however you like.