If you collate and report on the Netlogon.log files from Domain Controllers, you’ll notice that many existing scripts may fail to correctly split the lines when processing the logs from Windows 2012 Domain Controllers; unless of course you’ve already noticed and made an allowance for it.
Here is a sample of the contents from a Windows 2008 R2 Netlogon.log file:
Here is a sample of the contents from a Windows 2012 R2 Netlogon.log file:
The additional field in square brackets is the process ID (PID). This is indeed a new feature introduced into Windows Server 2012, Windows 8 and above where it logs the process ID of the application logging the event in the Netlogon.log file. So now the fields within the Netlogon.log differ from that of older Windows Operating Systems.
I have not read or found a single article from Microsoft to explain this other than one mention in a TechNet blog.
I’m not complaining, as this is very handy information, but had broken a couple of my scripts as it caught me by surprise. It would be nice if Microsoft had released updates for older OS’s too.
It’s no big deal, and easily fixed in a script by either processing the fields differently depending on OS version or simply using a regular expression to remove the PID field when you get the contents of the Netlogon.log file using the Get-Content cmdlet.
For example:
$NetlogonLog = Get-Content -Path $pathtothenetlogondotlogfile\Netlogon.log |
Foreach-Object {$_ -replace "\[\d{1,5}\] ", ""}
So now when you export this to a CSV, all fields across all Netlogon.log files will be consistent.
I hope this quick post helps to remove any confusion.
See here for the full script.
Jeremy Saunders