Taking Control of VM Sprawl (Part 8)

by [Published on 6 Oct. 2015 / Last Updated on 6 Oct. 2015]

This article explains how to extract individual Hyper-V VM creation events from the event logs.

If you would like to read the other parts in this article series please go to:

In my previous article, I explained that the key to keeping VM creation in check is often to keep a close eye on event log entries. I went on to explain that there are a few different methods that you can use to retrieve log entries through PowerShell, but in this article I want to show you one particular PowerShell cmdlet called Get-WinEvent. Knowing how to use this cmdlet can be tremendously beneficial when tracking VM creation and removal.

So why am I showing you how to use the Get-WinEvent cmdlet? Well, the event logs have evolved a lot over the years. As you have already seen in this article series, there are classic event logs such as the System logs and the Application logs, but there are also some newer, really granular logs. These newer logs are classified by the operating system as application and service logs. Some sites refer to these logs as views rather than as true logs, but Microsoft really does treat them as logs. Unfortunately, there isn’t really a good way to access the contents of the application and service logs using legacy commands. The tool of choice for accessing the newer logs is Get-WinEvent.

So with that said, let’s talk about Hyper-V logging. As I mentioned in one of the previous articles, there are a series of logs used by Hyper-V. If we are going to delve into these logs by using PowerShell then we need to know the exact log names (as used internally by PowerShell). The easiest way to retrieve a list of Hyper-V logs is to use the following command:

Get-WinEvent –ListLog Microsoft-Windows-Hyper-V*

You can see the output from this command in Figure A.

Image
Figure A: PowerShell displays the Hyper-V specific logs.

So what if we wanted to delve into an individual log to start looking at virtual machine creation and deletion events. As discussed in a previous article, virtual machine creation is tied to event 13002. Virtual machine deletion is reflected by event 13003. In my previous article, I incorrectly stated that these events were located in the Hyper-V-Worker\Admin log. In actuality, virtual machine creation and deletion is logged in the Hyper-V-VMMS\Admin log.

This brings up an important point. In the Event Viewer, this log is listed as Hyper-V-VMMS | Admin. If you look at the screen capture above however, you will see that PowerShell references this log as Microsoft-Windows-Hyper-V-VMMS-Admin. So now that we know which event log entries we are interested in, which log potentially contains those entries, and which PowerShell cmdlet to use, we are well on our way to building a virtual machine creation and deletion report.

OK, so let’s start simply. Suppose for a moment that you wanted to see the full contents of the Microsoft-Windows-Hyper-V-VMMS-Admin log. You could do so by using the following command:

Get-WinEvent –LogName Microsoft-Windows-Hyper-V-VMMS-Admin

The problem with using this command of course is that there are typically thousands of entries in this log. We need to narrow things down a bit. So with that said, let’s search the log for occurrences of event ID 13002. To do so, we could use this command:

Get-WinEvent –LogName Microsoft-Windows-Hyper-V-VMMS-Admin | Where {$_.ID –eq “13002”}

You can see this command’s output in Figure B.

Image
Figure B: We can view virtual machine creation events through PowerShell.

So obviously this information is helpful, but it may not be all that useful just yet. Think about it for a moment. This is a lab server, and yet there are a lot of events listed. Furthermore, the listed events span a period of about six months. If we really want this information to be useful, we need to narrow it down some more.

So what kind of information might be useful to us? Maybe a better question is what types of information are available? Once we know the answer to that question then we can filter the output accordingly and we can display the most relevant information. If you want to see the fields that are available for filtering then you can use the following command:

Get-WinEvent –LogName Microsoft-Windows-Hyper-V-VMMS-Admin | Select-Object *

You will probably want to press Ctrl+C to stop the output early on because the command listed above will display a ton of information. Even so, it will tell you the names of the fields that you can filter on and / or display. The fields that are available include:

Message

ID

Version

Qualifiers

Level

Task

Opcode

Keywords

RecordID

ProviderName

ProviderID

LogName

ProcessID

ThreadID

MachineName

UserID

TimeCreated

ActivityID

RelatedActivityID

ContainerLog

MatchedQueryIds

Bookmark

LevelDisplayName

OpCodeDisplayName

TaskDisplayName

KeywordsDisplayNames

Properties

You can see what these fields look like in Figure C.

Image
Figure C: These are the parameter names that you can reference when querying event logs.

So how might this information be useful to us? Well, we could possibly create a report showing who created virtual machines and when. Such a report would probably also benefit from displaying the virtual machine name.

Another possible option might be to display a simple report showing how many virtual machines were created and how many virtual machines were deleted within the last week. Such a report could be used to show trends rather than displaying statistics pertaining to individual virtual machines.

Of course as we create reports there are a few things that have to be kept in mind. First of all, we probably don’t want to examine a single server, but rather a collection of Hyper-V host servers. Another consideration is that the output shown above displays the user’s ID rather than the username, so we would probably want to translate the output to show the name of the user who performed the action.

As you can imagine, building these types of reports is going to take some work, but for right now I want to show you how to count virtual machine creation and deletion events. As previously noted, my log spans six months. I’m not going to narrow down the date range just yet. I just want to show you how to display trends. So with that said, if you want to track the number of virtual machine creations and deletions, you can do so using the following lines of code:

$CreateEvents = Get-WinEvent –LogName Microsoft-Windows-Hyper-V-VMMS-Admin | Where {$_.ID –eq “13002”}

$DeleteEvents = Get-WinEvent –LogName Microsoft-Windows-Hyper-V-VMMS-Admin | Where {$_.ID –eq “13003”}

$CreateEvents.count

$DeleteEvents.count

So what I am doing here is creating two variables - $CreateEvents and $DeleteEvents. The $CreateEvents variable holds all occurrences of event 13002. The $DeleteEvents variable contains all of the occurrences of event 13003. The last two lines of code display the number of times that these events have occurred. You can see what this code looks like in action in Figure D.

Image
Figure D: We can count the number of creations and deletions that have occurred.

Conclusion

As you can see, we have a lot of work ahead of us. In the next article, I will show you how to build on this technique and begin filtering the output in order to create some of the previously described reports.

If you would like to read the other parts in this article series please go to:

See Also


The Author — Brien M. Posey

Brien M. Posey avatar

Brien Posey is an MCSE and has won the Microsoft MVP award for the last few years. Brien has written well over 4,000 technical articles and written or contributed material to 27 books.

Advertisement

Featured Links