Introduction to Scripting Eventlog on a Remote Computer
Remoting is
the biggest improvement in PowerShell v 2.0. Here on this page we
will see how it's possible to apply the -computer parameter to eventlog files,
and thus view errors on a network computer.
In the case of Windows 7 and Server
2008, you don't need to download any extra files, just 'Add Feature' Windows PowerShell.
However, for older operating systems, installing can be confusing because
there are different versions of PowerShell for XP, Windows Server 2003 and
Vista. For such legacy systems only, you need to
download PowerShell from Microsoft's site.
Once you have installed PowerShell 2.0, I recommend choosing the
ISE (Integrated Scripting Engine) version, it
will save you buying a text editor.
Here is a modification of Example 1 which makes the script ready-to-run on a remote computer.
# PowerShell script to list the event logs on a remote computer #
Just change "LocalHost" to the name of YOUR remote computer
Clear-Host $Machine = "LocalHost"
Get-Eventlog -list
-computer
$Machine
Note 1: All you have to do is change
"LocalHost" to a computer name on your network.
Note 2: PowerShell v 2.0 brings with it
remoting capabilities which you access via the -computer parameter.
Troubleshooting Remoting: If the script works on
your local machine, but not the network computer, see how to set up
TrustedHosts
Guy Recommends: Solarwinds' Free Bulk Import Tool
Import users from a spreadsheet. Just provide a list of the
users with their fields in the
top row, and save as .csv file. Then launch this FREE utility and match
your fields with AD's
attributes, click to import the users. Optionally, you can
provide the name of the OU where the new accounts will be born.
There are also two bonus tools in this free download, and all 3 have been approved by Microsoft:
PowerShell's Get-Eventlog is tricky to operate. What makes it
easier is focussing on the parameters, especially -logname and for
remoting, -computer. Once you get the basics working there is a
wealth of techniques and properties you can apply to this most versatile
cmdlet.
Scenario: You need to investigate a particular
EventID. Important: Amend my value of
-lt '100' to -eq 'YourNumber'. Do remember the speech marks. Optional: Change "LocalHost" to "YourNetworkMachine"
# PowerShell Remote EventLog example with specific EventID
Clear-Host $Machine = "LocalHost" Get-Eventlog -logname System
-computer $Machine -newest 1000 ` | Where-Object {$_.EventId -lt
'100'} ` | Format-Table MachineName, Source, EventID -auto
Note 3: Please change -lt to -eq, and '100' to
the EventID you are researching.
Note 4: The above script is ready for remoting, just
change the value of $Machine variable.
Guy Recommends: Solarwinds' Log & Event Management Tool
LEM will alert you to problems such as when a key
application on a particular server is unavailable. It can also
detect when services have stopped, or if there is a
network latency problem. Perhaps this log and event management
tool's most interesting ability is to take corrective action, for
example by
restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people
use LEM is for its
compliance capability, with a little help from you, it will ensure that your organization complies with industry
standards such as CISP or FERPA. LEM is a really smart
application that can make correlations between data in different logs,
then use its built-in logic to take corrective action, to restart services,
or thwart potential security breaches.
Encouraging computers to sleep when not in use is a great idea -
until you are away from your desk and need a file on that remote sleeping machine!
Wake-On-LAN really will save you that long walk to awaken a hibernating
machine; however my reason for encouraging you to download this utility is
just because it's so much fun sending those 'Magic Packets'. As Wake-On-LAN (WOL) is free, see
if I am right, and you get a kick from arousing those sleeping machines.
WOL also has business uses for example, wakening machines so that they can have
their patches applied.
To get the most out of Get-Eventlog even experts turn to the trusty
PowerShell techniques of Get-Help and Get-Member. Once you
understand the basics, there is huge enjoyment and satisfaction in
getting the right script for the right job.
Checking the help file will reveal useful parameters. Always
remember to define the log with -logfile. I particularly like the
-newest, but for detailed research -before or -after maybe more useful.
When you define the output with Format-Table or Out-File, it makes life
easier if you can choose just the relevant properties, for example,
Source, TimeWritten and Message.
»
Researching Similar PowerShell Cmdlets
# PowerShell Get-Eventlog Cmdlet Research Clear-Host
Get-Command -noun Eventlog
The main result is to realize there is a sister command
Write-Eventlog, you could
also Clear-Eventlog.
Remoting is
the biggest improvement in PowerShell v 2.0. On this page we
have seen the importance of the -computer parameter for interrogating eventlog files.
As a bonus we have experimented with listing EventIDs on both local and
remote computers.
If you like this page then please share it with your friends
See more PowerShell examples to read, write and list Windows event logs
Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.
Windows Management Instrumentation (WMI) is one of the hidden
treasures of Microsoft operating systems.
Fortunately, Solarwinds
have created the
Free WMI Monitor so that you can actually see and understand these gems of
performance information. Take the guess work out of which
WMI counters to use for applications like Microsoft Active Directory,
SQL or Exchange Server.
