Ezine 173 – PowerShell for Event Viewer

Ezine 173 – PowerShell for Event Viewer

In this week’s ezine I will show you how to employ PowerShell to extract information from the operating system’s event logs.


This Week’s Secret

One of the hidden benefits of learning any scripting language is that you gain better understanding of the operating system.  PowerShell encourages you to look in the event logs, something you many not have done for a while.  One reason why you may not pay as much attention to the Event logs as you should is their sheer volume of entries.  The benefit of using PowerShell is that it’s easier to create custom filters.  For examples, scripts which list not just errors, but disk errors.

This Week’s Mission – To Interrogate the Event Logs

This week I want to show you how PowerShell can filter information from the event logs.  The more that I use PowerShell to interrogate the logs, the more ideas I get for checks on the operating system.  And to complete this virtuous loop, the more I put these ideas into action, the more I learn about PowerShell.  My point is that while I will give you examples to get you started, it is my fervent wish that you will modify my examples to extract useful information about your operating system.

But let us start by enumerating the event logs.  Make a guess, how many event logs are there on your computer?  3? 4?  Let us see …..

If you remember last week I recommended five help strategies to enhance your PowerShell experience, to help us achieve This Week’s Mission I would like to utilize the technique:
get-help verb-Noun* -full

* Where verb-Noun is get-EventLog

Preparation – Overview

I am assuming that you have installed PowerShell, and you are sitting at the PowerShell prompt.  If necessary, downloaded the appropriate version of PowerShell and .Net Framework from Microsoft’s site.  What would help your understanding, and the success of my examples is if you look for ways to modify my scripts to suit your computer.

Detailed instructions
For detailed instruction on getting PowerShell up and running see a previous ezine.

Preliminary Example: Help get-EventLog -full

# PowerShell script to research get-EventLog
# Author: Guy Thomas
# Version 1.0 September 2008 tested on PowerShell v 1.0

get-Help get-EventLog -full

Learning Points

Note 1:  Close inspection reveals that get-EventLog has two parallel purposes.  If we choose the -list parameter, then we can enumerate all logs on the computer.  However, if we choose the -logfile parameter then we can open up a whole world of options to interrogate and filter the event logs.

Note 2:  I have a message for you.  Whenever you call for the get-Help command always append -full, moreover, always pay close attention to the examples that PowerShell’s help supply when you add the -full parameter.

Example 1: get-EventLog -list

By introducing variables, I feel as though I am starting our PowerShell ‘car’ in second gear.  First gear would have been plain:  get-Eventlog -list

# PowerShell script to list the EventLogs
# Author: Guy Thomas
# Version 1.1 September 2008 tested on PowerShell v 1.0

$Log = get-EventLog -list
$Log; "There are " + $Log.count + " event logs"

Learning Points

Note 1:  I could not resist introducing a variable called $Log so that we can count the logs more easily.  Trace the effect of the semi-colon after $Log on the last line.

Note 2:  Observe how easily PowerShell handles a mixture of text and numbers.  All we need is the ubiquitous plus sign (+).

Example 2: Listing EventLog Items

# PowerShell script to display the last 50 events
# Author: Guy Thomas
# Version 1.2 September 2008 tested on PowerShell v 1.0

$LogSys = get-EventLog -logname system -newest 50
$LogSys | format-Table EventID, Source -auto

Learning Points

Note 1:  The crucial parameter in this script is -logname, I have chosen a value of ‘System’, however, you could substitute any of the log names indentified by the script in example 1.

Note 2:  Format-Table not only displays the output in tabular form, but also allows us to select which properties to display, in this case just EventID and Source.

Note 3:  Unearthing the -newest parameter is another triumph for taking the preliminary and researching with: help get-Eventlog command.

Guy Recommends:  SolarWinds’ Log & Event Management ToolSolarwinds Log and Event Management Tool

LEM will alert you to problems such as when a key application on a particular server is unavailable.  It can also detect when services have stopped, or if there is a network latency problem.  Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.

Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA.  LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.

Download your FREE trial of SolarWinds Log & Event Management tool.

Example 3: Finding the ‘Errors’ in the System EventLog

Here is a script which crosses the divide from just playing, through to doing some useful work.  The idea is to list all errors in the system log.  It would make my day if you made adjustments to suit your circumstances.  For instance, you could experiment with other values for -newest.

# PowerShell script to find errors in the system event log
# Author: Guy Thomas
# Version 1.3 September 2008 tested on PowerShell v 1.0

$LogSys = get-EventLog -logname system -newest 20000
$LogSys | where {$_.entryType -match "Error"} | group eventID

Learning Points

Note 1:  The new development in this script is the ‘Where’ clause.  This is a common technique to filter the results, in this example ‘where’ just matches errors in the system event log.  There are two important features of the where clause, firstly, $_. meaning this pipeline.  And secondly the comparitor -match.  Alternative comparisons would be -like, or even -eq.

Note 2:  I have employed two pipes (|) to achieve the desired grouping of the results.  The key feature of pipelining is that the output of the first clause, $LogSys, becomes the input of the ‘where’ clause.

Note 3:  Many of my example scripts begin with clear-Host, I just use this in testing when I want to avoid confusion from the results of previous versions of my script.

Example 4: Filtering a Specific EventID

This example is a double-edged sword.  On its own example 4 is probably useless to you.  However, if you research the eventID of a persistent error on your computer, the example transforms into a useful tool.  My problem is that I don’t know what number eventID that would be on your machine, hence you need some preliminary research to discover your problem eventID number.  Then substitute your number for 11 in my variable $Number.

# PowerShell script to filter specific eventID errors
# Author: Guy Thomas
# Version 1.3 September 2008 tested on PowerShell v 1.0

$Number = 11
$LogSys = get-EventLog -logname system -newest 20000
$LogSys | where {$_.entryType -match "Error" -and $_.eventID -eq $Number}

Learning Points

Note 1:  From the pure PowerShell perspective, this script is of interest because I have introduced logical ‘-and’, which makes the filter more precise.

Note 2:  We could improve the readability by appending the pipeline symbol followed by:
 | format-table TimeGenerated, eventid, message -auto

Example 5: Remote Event logs

PowerShell version 1.0 is not good with remote computing.  get-EventLog is particularly useless and does NOT support the -computerName parameter.  Fortunately, there is a work-around using trusty new-Object with System.Diagnostics.Eventlog.  Naturally, you need to tweak the value for the $Server variable.

# PowerShell script to interrogate event logs on a REMOTE computer
# Author: Guy Thomas
# Version 1.3 October 2008 tested on PowerShell v 1.0

$Log = "System"
$Server = "YourServer"
$Evtlog = new-Object System.Diagnostics.Eventlog($Log,$Server)
$Evtlog.Entries | select -first 10

Learning Points

Note 1:  The key to this script is new-Object.  I recommend that you investigate more capabilities with the two classic PowerShell commands:

help new-Object

new-Object System.Diagnostics.Eventlog | get-Member

Guy Recommends: Tools4ever’s UMRAUMRA The User Management Resource Administrator

Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.

It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.

Summary of PowerShell for Event Viewer

In our hearts, we know that we should be looking at the event logs more frequently.  We also know that when we see those red dots in the logs, we should take action to correct the corresponding error message.

Thus we have a task for PowerShell; in fact, we have a marriage made in heaven.  PowerShell will help us review the system, application and other logs, while the event logs themselves will act as a vehicle for learning more about PowerShell’s benefits, capabilities and syntax.

If you like this page then please share it with your friends


See more PowerShell examples to read, write and list Windows event logs

PowerShell Home   • Get-Eventlog   • EventVwr -list   • Get-WinEvent   • Remote-WinEvent

WMI Win32_NTLogEvent   • Windows 8 Event Viewer  • Windows 8 Security Event Log

PowerShell real-life task   • Write-Eventlog   • EventVwr errors   • Log Event Manager

Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.