Nano Server: Viewing Application, Security and System Event Logs using WMI


Since my last post about building Nano Server TP4 in VMware vSphere 6, I have been constantly bugged about how to manage a headless Windows Server 2016 Nano Server because it is headless. There is no Graphical User Interface (GUI) and some of the usual common excutable for Administrators were stripped away. I would say if you are not familiar with PowerShell or Command Line (CLI), now is the time to start learning.

In order to get started on managing a Nano Server, I started with the most basic of all system administration that is viewing of Event Logs to observe if there is anything wrong with the system using Windows Management Instrumentation (WMI) remotely. You can either view this article from the Microsoft TechNet Wiki which may have any improvement updates by the TechNet community on the link below;

Or carry on reading this page on the original article which I have noted in my engineering journal with some explanations on the process.

 

The Original TechNet Wiki Article on Nano Server: Viewing Application, Security and System Event Logs using WMI

Introduction
Many have asked about how to manage a Nano Server or a farm full of Nano Servers in a datacenter. Let’s start with Basic System Administration 101 on viewing the events recorded in Event Logs. The focus of this article is to manage the Event Logs using Windows Management Instrumentation (WMI) since it is most commonly used for managing large environment.

Getting Started with Nano Server Firewall Rules for WMI
With Windows Server 2016 Nano Server Technical Preview 4, Microsoft has included the Firewall management on the Nano Server Recovery Console and let us hope that it is kept this way till Windows Server 2016 RTM.

What if Microsoft removed Firewall management from Nano Server Recovery Console? Since the release of Nano Server TP3, as long as you can login connect remotely using Enter-PSSession PowerShell Cmdlet to manage the Nano Server, you will still be able to use Enable-NetFirewallRule PowerShell Cmdlet to manage your Nano Server firewall rules.

How to configure Windows Firewall in Nano Server TP4?

  1. Login to the Nano Server locally
  2. Select TAB > Down Key
  3. Select Enter Key on Firewall
  4. Select Up or Down Key to scroll the Firewall Rules

 

How to allow Windows Management Instrumentation traffic on Windows Firewall in Nano Server?

Once you can view a list of Firewall Rules within the Nano Server Recovery Console, navigate UP/DOWN to the following Firewall Rules below;

  1. Select Windows Management Instrumentation (DCOM-In)
  2. Enable this Firewall Rule by selecting F4 to toggle Enable or Disable Firewall Rule
  3. Select Windows Management Instrumentation (WMI-In)
  4. Enable this Firewall Rule by selecting F4 to toggle Enable or Disable Firewall Rule
  5. Select Windows Management Instrumentation (WMI-Out)
  6. Enable this Firewall Rule by selecting F4 to toggle Enable or Disable Firewall Rule
  7. Test your Windows Management Instrumentation (WMI) connectivity with your Nano Server in the Workgroup.

Getting Started with Windows Management Instrumentation (WMI)
Once you have verified that Get-WMIObject PowerShell Cmdlet actually can establish connectivity to the Nano Server remotely, we can begin to query the Nano Server’s event logs.

How to list available Event Log files from Nano Server TP4?

  1. Launch PowerShell with elevated privileges
  2. Input the command below;
# Get a list of available Event Log files
Get-WmiObject -ComputerName 192.168.100.28 `
    -Class Win32_NTEventLogFile `
    -Credential (New-Object `
    -TypeName System.Management.Automation.PSCredential `
    -ArgumentList "192.168.100.28\Administrator", `
        (ConvertTo-SecureString `
            -String "Password" `
            -AsPlainText `
            -Force) `
    ) ;

 

 

How to get last 30 days of Application Event Log from Nano Server TP4?

  1. Launch PowerShell with elevated privileges
  2. Input the command below;
# Get last 30 days of Application events
Get-WmiObject -ComputerName 192.168.100.28 `
    -Class Win32_NTLogEvent `
    -Filter ("(logfile='Application' " `
        + "AND (TimeWritten >'$([System.Management.ManagementDateTimeConverter]::ToDMTFDateTime((get-date).AddDays(-30)))'))") `
    -Credential (New-Object `
    -TypeName System.Management.Automation.PSCredential `
    -ArgumentList "192.168.100.28\Administrator", `
        (ConvertTo-SecureString `
            -String "Password" `
            -AsPlainText `
            -Force) `
    ) ;

 

How to get last 30 days of Security Event Log from Nano Server TP4?

  1. Launch PowerShell with elevated privileges
  2. Input the command below;
# Get last 30 days of Security events
Get-WmiObject -ComputerName 192.168.100.28 `
    -Class Win32_NTLogEvent `
    -Filter ("(logfile='Security' " `
        + "AND (TimeWritten >'$([System.Management.ManagementDateTimeConverter]::ToDMTFDateTime((get-date).AddDays(-30)))'))") `
    -Credential (New-Object `
    -TypeName System.Management.Automation.PSCredential `
    -ArgumentList "192.168.100.28\Administrator", `
        (ConvertTo-SecureString `
            -String "Password" `
            -AsPlainText `
            -Force) `
    ) ;

 

 

How to get last 30 days of System Event Log from Nano Server TP4?

  1. Launch PowerShell with elevated privileges
  2. Input the command below;
# Get last 30 days of System events
Get-WmiObject -ComputerName 192.168.100.28 `
    -Class Win32_NTLogEvent `
    -Filter ("(logfile='System' " `
        + "AND (TimeWritten >'$([System.Management.ManagementDateTimeConverter]::ToDMTFDateTime((Get-Date).AddDays(-30)))'))") `
    -Credential (New-Object `
    -TypeName System.Management.Automation.PSCredential `
    -ArgumentList "192.168.100.28\Administrator", `
        (ConvertTo-SecureString `
            -String "Password" `
            -AsPlainText `
            -Force) `
    ) ;

 

 

 

How to backup Event Log on Nano Server TP4?
Let us take a look at the Nano Server C:\ Drive content prior to initiate a backup of the Event Log file locally.

  1. Launch PowerShell with elevated privileges
  2. Input the command below;
    # Backup Security Event Log file from Nano Server TP4 (IP Address = 192.168.100.28) to Local Host
    (Get-WmiObject -ComputerName 192.168.100.28 `
        -Class Win32_NTEventLogFile `
        -Filter "(logfilename = 'Security')" `
        -Credential (New-Object `
        -TypeName System.Management.Automation.PSCredential `
        -ArgumentList "192.168.100.28\Administrator", `
            (ConvertTo-SecureString `
                -String "Password" `
                -AsPlainText `
                -Force) `
        )).BackupEventLog("C:\NanoServer-192-168-100-28-Security-EventLog.evtx") ;
    

  3. Check that the Event Log is being backup locally at the specified path within the Nano Server locally.

 

 

 

 

How to clear Event Log on Nano Server TP4?

  1. Launch PowerShell with elevated privileges
  2. Input the command below;
    # Clear Security Event Log file from Nano Server TP4 (IP Address = 192.168.100.28)
    (Get-WmiObject -ComputerName 192.168.100.28 `
        -Class Win32_NTEventLogFile `
        -Filter "(logfilename = 'Security')" `
        -Credential (New-Object `
        -TypeName System.Management.Automation.PSCredential `
        -ArgumentList "192.168.100.28\Administrator", `
            (ConvertTo-SecureString `
                -String "Password" `
                -AsPlainText `
                -Force) `
        )).ClearEventLog() ;
    

      

  3. Check that the Event Log is cleared

 

 

Alternatives

There is another alternative in managing Event Log file in a Nano Server and below is a demostration of WevtUtil resizing the Seucirty Event Log maximum log file size.

How to resize the Security Event Log maximum size on Nano Server?

  1. Launch PowerShell with elevated privileges
  2. Connect to Nano Server using Enter-PSSession PowerShell Cmdlet
  3. Resize the Security Event Log maximum file size by inputting the command below;
    # Increase the Security Event Log File Size
    wevtutil sl Security /ms:4194240
    
  4. Check the Security Event Log maximum file size using Get-WmiObject PowerShell Cmdlet

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s