Unable to parse the Get-WinEvent message body?

Question

I need some way to show the IP address and the hostname based on the Win-Event query below:

Script:

$date = Get-date -Format "dd-MM_hh_mm"
$FilePath = ([Environment]::GetFolderPath("Desktop") + "\DCOMErrors_$date.txt")
Clear-Host
Write-Host "`r`nGathering DCOM ID:10028 errors from $env:computername system"
$DCOM = Get-WinEvent System | Where-Object { ($_.ProviderName -like "Microsoft-Windows-DistributedCOM") -and ($_.ID -like "10028") }
Write-Host "`r`nProcessing DCOM messages"
$DCOMHash = New-Object "System.Collections.Generic.List[System.Object]"
$DCOM | ForEach-Object -Process {
    $DCOMfr = $DCOMline.Message.IndexOf("computer", 1)
    $DCOMto = $DCOMline.message.IndexOf("using")
    $DCOMip = ""
    $DCOMip = $DCOMline.message.substring($DCOMfr + 9, $DCOMto - $DCOMfr - 9)
    $DCOMhostname = If ([System.Net.Dns]::GetHostEntry($DCOMip)) { [System.Net.Dns]::GetHostEntry($DCOMip) } else { try { [System.Net.Dns]::GetHostEntry($DCOMip) } catch { $_.Exception.Message } }
    $DCOMhash += $DCOMip -replace '\.$'
}
Out-File -filepath 
"Total DCOM Error Count: " + $DCOMhash.count | Export-Csv -FilePath $FilePath -Append

$DCOMhash | Group-Object | Sort-Object Count -Descending | Format-Table -Property Name, Count | Out-File -FilePath $FilePath -Append

Write-Host "Result of the script to gather the IPs with DCOM errors associated with them `r`n There is now a text file on the desktop with the output, Opening txt file in"

ii $FilePath

The above attempt is not producing a meaningful result like in the below result sample

Current Output:

Total DCOM Error Count: 1000

Name Count
---- -----
      1000

Expected Result:

> Total DCOM Error Count: 1000
>     Name      Hostname Count
>     ----      -------- -----
>     1.1.1.1   AD01       400
>     1.1.2.2   AD02       300
>     2.2.2.2   N/A        500

In case required, this is the below sample of Event ID 10028:

Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Date:          27/10/2020 12:57:25 PM
Event ID:      10028
Task Category: None
Level:         Error
Keywords:      Classic
User:          SYSTEM
Computer:      MON01.server-farm.com
Description:
DCOM was unable to communicate with the computer 1.1.1.1 using any of the configured protocols; requested by PID 61a0 (C:\Program Files (x86)\Common Files\SolarWinds\JobEngine.v2\SWJobEngineWorker2x64.exe).
> Event Xml: <Event
> xmlns="http://schemas.microsoft.com/win/2004/08/events/event">  
> <System>
>     <Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM"
> />
>     <EventID Qualifiers="0">10028</EventID>
>     <Version>0</Version>
>     <Level>2</Level>
>     <Task>0</Task>
>     <Opcode>0</Opcode>
>     <Keywords>0x8080000000000000</Keywords>
>     <TimeCreated SystemTime="2020-10-27T01:57:25.776635700Z" />
>     <EventRecordID>72256491</EventRecordID>
>     <Correlation />
>     <Execution ProcessID="976" ThreadID="9500" />
>     <Channel>System</Channel>
>     <Computer>MON01.server-farm.com</Computer>
>     <Security UserID="S-1-5-18" />   </System>   <EventData>
>     <Data Name="param1">10.10.5.165</Data>
>     <Data Name="param2">    61a0</Data>
>     <Data Name="param3">C:\Program Files (x86)\Common Files\SolarWinds\JobEngine.v2\SWJobEngineWorker2x64.exe</Data>
>     <Binary>12934761728346172846987569874562345ABCDEF</Binary>   </EventData> </Event>

Answer 1

You've got several issues throughout this script.

First, you are pulling all system logs then filtering which is going to be slow. Any of the filter options (filterhashtable, filterxpath, filterxml) would speed this up tremendously.

Second, you are running a Foreach-Object loop but are referencing some random variable name $DCOMline when you should be referencing $_

Third, DCOMhostname is attempting to be populated but it's never used again. This entire section seems misguided. If successful or failed, GetHostEntry would be ran twice per "name". Also found $DCOMip had an extra space at the end causing GetHostEntry to fail for all.

Fourth, random Out-File -filepath

Fifth, the text "Total DCOM Error Count: " + $DCOMhash.count are attempting to be exported as CSV. Seems you want to use Set/Add content there.

Sixth, Format-Table should only be used for console output, not for pipeline or writing to file.

Seventh, Out-File is used when that seems like the appropriate spot to export CSV

Eighth, you appear to be trying to group on name but also expect to get the hostname in the output. You can also add it to group-object -property but if there are many different hostnames for each name it will only list one of them.

All that said, this will get you the name (ip) and count, as well as name and hostname in the $DCOMash variable.

$date = Get-date -Format "dd-MM_hh_mm"
$FilePath = ([Environment]::GetFolderPath("Desktop") + "\DCOMErrors_$date.txt")
Clear-Host
Write-Host "`r`nGathering DCOM ID:10028 errors from $env:computername system"

$DCOM = Get-WinEvent -FilterHashtable @{
    LogName = 'System'
    ProviderName = "Microsoft-Windows-DistributedCOM"
    ID = "10028"
}

Write-Host "`r`nProcessing DCOM messages"
$DCOMHash = New-Object "System.Collections.Generic.List[System.Object]"
$DCOM | ForEach-Object -Process {
    $DCOMfr = $_.Message.IndexOf("computer", 1)
    $DCOMto = $_.message.IndexOf("using")
    $DCOMip = ""
    $DCOMip = $_.message.substring($DCOMfr + 9, $DCOMto - $DCOMfr - 9).trim()

    try
    {
        $DCOMhostname = [System.Net.Dns]::GetHostEntry($DCOMip).hostname -replace '\.$'
    }
    catch
    {
        $DCOMhostname = "N/A"
    }

    $DCOMhash.Add([PSCustomObject]@{
        Name = $DCOMip
        HostName = $DCOMhostname
    })
}

$DCOMhash | Group-Object -Property name | select name,count | Sort-Object Count -Descending