The benefits of using
either PowerShell or VBScript to interrogate the event logs is that you can
get fine control of filtering for a particular error or warning.
On this page I have chosen to ask Get-WmiObject to retrieve the WMI class
Win32_NTLogEvent,
rather than employ the simpler Get-Eventlog.
In the case of Windows 7 and later, you don't need to download any extra files, just: 'Add Feature'
--> Windows PowerShell.
However, for older operating systems, there are different versions of PowerShell for XP, Windows Server 2003 and
Vista. For such legacy systems only, you need to
download PowerShell from Microsoft's site.
Once you have installed PowerShell 2.0 or later, I recommend choosing the
ISE (Integrated Scripting Engine) version, it
will save buying a text editor.
Warning: From a learning point of view Example 1 is
the best place to start, but from a practical point of view I would go to
Example 2 because this first script takes too long and returns too much data.
The purpose of this raw script, which just uses to Get-WmiObject (GWMI),
is to return
all the event log items, in all of the logs!
# PowerShell script to list the event logs. Get-WmiObject -class
Win32_NTLogEvent
Learning Points
Note 1a: The hash # symbol is PowerShell's way of introducing a
comment.
Note 1b: -class is optional, its assumed that the
first parameter is WMI class.
This variation from example 1 filters the event logs for two properties, log = Application
and type = Error; furthermore this PowerShell script formats the output into
a table.
Note 2a: The backtick `
enables the command to continue onto the next line.
Note 2b: The crucial construction is -filter.
To see what I mean have a look at the next example which features SELECT *
From ... WHERE.
Guy Recommends: SolarWinds' Log & Event Management Tool
LEM will alert you to problems such as when a key
application on a particular server is unavailable. It can also
detect when services have stopped, or if there is a
network latency problem. Perhaps this log and event management
tool's most interesting ability is to take corrective action, for
example by
restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people
use LEM is for its
compliance capability, with a little help from you, it will ensure that your organization complies with industry
standards such as CISP or FERPA. LEM is a really smart
application that can make correlations between data in different logs,
then use its built-in logic to take corrective action, to restart services,
or thwart potential security breaches - give LEM a whirl.
The example below achieves the same result as before but uses -query
coupled with Select all from.
Clear-Host $Logs = Get-WmiObject -query ` "SELECT * FROM
Win32_NTLogEvent WHERE (logfile='Application') AND (type='error')" $Logs
| Format-Table EventCode, EventType, Message -auto
Where Next?
These are just examples of WMI Win32_NTLogEvent, now its up to you to
modify my examples to suit your task. For example, you may with to
change logfile ='Application' to logfile = 'System'. I would also
consider changing the columns in the output; perhaps removing EventCode and
adding SourceName.
Researching More Properties with Get-Member (GM)
Whenever you discover a new PowerShell command, it benefits from being
checked over with Get-Member, invariably this throws-up unexpected
properties. To see what I mean
try:
Guy Recommends: A Free Trial of the Network Performance Monitor
(NPM)
SolarWinds'
Network Performance Monitor
will help you discover what's happening on your network. This
utility will also guide you through troubleshooting; the dashboard will
indicate whether the root cause is a broken link, faulty equipment or
resource overload.
What I like best is the way NPM suggests solutions to network
problems. Its also has the ability to monitor the health of individual VMware
virtual machines. If you are interested in troubleshooting, and creating
network maps, then I recommend that you try NPM now.
The Windows logs are a victim of their own success, there are too many
entries. The benefit of a good script is that you filter the
messages that are of interest. Through experimenting with PowerShell
WMI scripts you can fine tune the results to achieve your mission in ways
that are not possible with Event Viewer.
If you like this page then please share it with your friends
See more PowerShell examples to read, write and list Windows event logs
Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.
Windows Management Instrumentation (WMI) is
most useful for PowerShell scripting.
SolarWinds
have produced this
Free WMI Monitor to take the guess work out of which
WMI counters to use for applications like Microsoft Active Directory,
SQL or Exchange Server.
