Monday, November 25, 2013

Part–3 : Working with Event Logs using PowerShell :- Get-EventLog

 

Part-1: Working with Event Logs using PowerShell

Part–2 : Working with Event Logs using PowerShell :- Get-EventLog

 

Welcome to the part 3 of the “PowerShell and Event Log” post,  In my previous post we shows the usages of “Get-EventLog” cmdlet.

Today we are going to use some more advance and cool features of the “Get-EventLog” cmdlet.

One of  the cool parameter of the “Get-EventLog” log is –Source.

Every event log entry has source by which event entry is created. If we want to see all the entries those are created by some specific application or Service source , we can use it’s name as argument in –Source parameter.

In this example, we are asking “Get-EventLog” cmdlet to show all log entries those are created by Microsoft Outlook.

Get-EventLog -LogName Application -Source "OutLook"

14-11-2013 23-31-47

 

If you want to see event log entries those are created in  some specific users account, to see those events we can use –Username parameter in “Get-EventLog

The command will show all the event logs entries those are genereted in my user account.

Get-EventLog -LogName application -UserName "domain\aman.dhally"

 

14-11-2013 23-38-15

 

If we want to search all event logs entries for specific word in their event log entry, we can also do that using –Message parameter.

For example, if i want to search all event log entries those are have word “Database” in it , I can use the below command.

 

Get-EventLog -LogName application -Message *database*

 

14-11-2013 23-47-14

 

If you want to search event log entries using instance ID ,you can use the below command.

 

Get-EventLogLogName application -InstanceId 1000

 

You and read more about instance id here : http://msdn.microsoft.com/en-us/library/system.diagnostics.eventlogentry.instanceid.aspx

 

15-11-2013 00-02-09

 

There is –AsbaseObject parameter is “get-eventLog” , when we use it, visually it seems no difference, but when we use –AsbaseObject it returns “System.Diagnostics.EventLogEntry” and without using –asbaseObject , it returns an extended PS Object.

 

15-11-2013 00-15-16

 

The last Parameter which we are going to use is –Index, this is basically a serialization of event log entries. Let me show you.

Let’s count how many log entries we do have in Application Log

 

(Get-EventLog -LogName Application).count

15-11-2013 00-21-26

 

Now check, what is the last entry using –Index Parameter

 

Get-EventLog -LogName Application -Index 10209

 

15-11-2013 00-25-08

 

Now let’s cross verify it using –newest parameter

Get-EventLog -LogName Application -Newest 1

 

15-11-2013 00-26-11

You can see that, both entries are identical.

That’s all for today. See you in next blog Post.

Regards

Aman Dhally

clip_image001 clip_image002 clip_image003 clip_image005  clip_image007

No comments:

Post a Comment