bill-long/Stop-TTTraceOnEvent.ps1

## Stop-TTTraceOnEvent.ps1
# Events to watch for

$event1 = New-Object -TypeName PSObject -Prop (@{'ID'='2080'; 'Source'='MSExchange ADAccess'; 'Message'="In-site:`r`nSX"})
$interestingEvents = @($event1)

# Monitor event log for specific event ID
function WaitForEvent($logName, $eventsToWatchFor, $serverName)
{
    "Started watching " + $logName + " log on server " + $serverName + " for the following events: "
    $eventsToWatchFor

    $eventLog = new-object System.Diagnostics.EventLog($logName, $serverName)
    $latestEvent = $eventLog.Entries[$eventLog.Entries.Count - 1]
    $lastEventTime = $latestEvent.TimeWritten
    $foundEvent = $false

    while (!$foundEvent)
    {
        Start-Sleep 20
        $eventLog = new-object System.Diagnostics.EventLog($logName, $serverName)
        $latestEvent = $eventLog.Entries[$eventLog.Entries.Count - 1]
        if ($latestEvent.TimeWritten -gt $lastEventTime)
        {
            # We have new events. Check to see if any are the ID we care about.
            for ($x = $eventLog.Entries.Count - 1; $x -ge 0; $x--)
            {
                $thisEvent = $eventLog.Entries[$x]
                if ($thisEvent.TimeWritten -lt $lastEventTime)
                {
                    # Then we're done, we've checked all events since the last one we saw.
                    $lastEventTime = $eventLog.Entries[$eventLog.Entries.Count - 1].TimeWritten
                    break
                }

                "Found new event with Source: " + $thisEvent.Source + " and ID: " + $thisEvent.EventID.ToString()
                foreach ($interestingEvent in $eventsToWatchFor)
                {
                    if ($thisEvent.EventID -eq $interestingEvent.ID -and $thisEvent.Source -eq $interestingEvent.Source -and $thisEvent.Message.Contains($interestingEvent.Message))
                    {
                        "This is the event we're looking for!"
                        "Event ID: " + $thisEvent.EventID.ToString()
                        "Source: " + $thisEvent.Source
                        "Time: " + $thisEvent.TimeGenerated.ToString()
                        "Message: " + $thisEvent.Message
                        $foundEvent = $true
                        break
                    }
                }

                if ($foundEvent)
                {
                    break
                }
            }
        }
    }
}

WaitForEvent Application $interestingEvents $localComputerName

tttracer -stop all

"Data collection complete."
	# Events to watch for

	$event1 = New-Object -TypeName PSObject -Prop (@{'ID'='2080'; 'Source'='MSExchange ADAccess'; 'Message'="In-site:`r`nSX"})
	$interestingEvents = @($event1)

	# Monitor event log for specific event ID
	function WaitForEvent($logName, $eventsToWatchFor, $serverName)
	{
	"Started watching " + $logName + " log on server " + $serverName + " for the following events: "
	$eventsToWatchFor

	$eventLog = new-object System.Diagnostics.EventLog($logName, $serverName)
	$latestEvent = $eventLog.Entries[$eventLog.Entries.Count - 1]
	$lastEventTime = $latestEvent.TimeWritten
	$foundEvent = $false

	while (!$foundEvent)
	{
	Start-Sleep 20
	$eventLog = new-object System.Diagnostics.EventLog($logName, $serverName)
	$latestEvent = $eventLog.Entries[$eventLog.Entries.Count - 1]
	if ($latestEvent.TimeWritten -gt $lastEventTime)
	{
	# We have new events. Check to see if any are the ID we care about.
	for ($x = $eventLog.Entries.Count - 1; $x -ge 0; $x--)
	{
	$thisEvent = $eventLog.Entries[$x]
	if ($thisEvent.TimeWritten -lt $lastEventTime)
	{
	# Then we're done, we've checked all events since the last one we saw.
	$lastEventTime = $eventLog.Entries[$eventLog.Entries.Count - 1].TimeWritten
	break
	}

	"Found new event with Source: " + $thisEvent.Source + " and ID: " + $thisEvent.EventID.ToString()
	foreach ($interestingEvent in $eventsToWatchFor)
	{
	if ($thisEvent.EventID -eq $interestingEvent.ID -and $thisEvent.Source -eq $interestingEvent.Source -and $thisEvent.Message.Contains($interestingEvent.Message))
	{
	"This is the event we're looking for!"
	"Event ID: " + $thisEvent.EventID.ToString()
	"Source: " + $thisEvent.Source
	"Time: " + $thisEvent.TimeGenerated.ToString()
	"Message: " + $thisEvent.Message
	$foundEvent = $true
	break
	}
	}

	if ($foundEvent)
	{
	break
	}
	}
	}
	}
	}

	WaitForEvent Application $interestingEvents $localComputerName

	tttracer -stop all

	"Data collection complete."