Part–3 : Working with Event Logs using PowerShell :- Get-EventLog

 

Part-1: Working with Event Logs using PowerShell

Part–2 : Working with Event Logs using PowerShell :- Get-EventLog

 

Welcome to the part 3 of the “PowerShell and Event Log” post,  In my previous post we shows the usages of “Get-EventLog” cmdlet.

Today we are going to use some more advance and cool features of the “Get-EventLog” cmdlet.

One of  the cool parameter of the “Get-EventLog” log is –Source.

Every event log entry has source by which event entry is created. If we want to see all the entries those are created by some specific application or Service source , we can use it’s name as argument in –Source parameter.

In this example, we are asking “Get-EventLog” cmdlet to show all log entries those are created by Microsoft Outlook.

Get-EventLog -LogName Application -Source "OutLook"

 

If you want to see event log entries those are created in  some specific users account, to see those events we can use –Username parameter in “Get-EventLog”

The command will show all the event logs entries those are genereted in my user account.

Get-EventLog -LogName application -UserName "domain\aman.dhally"

 

 

If we want to search all event logs entries for specific word in their event log entry, we can also do that using –Message parameter.

For example, if i want to search all event log entries those are have word “Database” in it , I can use the below command.

 

Get-EventLog -LogName application -Message *database*

 

 

If you want to search event log entries using instance ID ,you can use the below command.

 

Get-EventLog –LogName application -InstanceId 1000

 

You and read more about instance id here : http://msdn.microsoft.com/en-us/library/system.diagnostics.eventlogentry.instanceid.aspx

 

 

There is –AsbaseObject parameter is “get-eventLog” , when we use it, visually it seems no difference, but when we use –AsbaseObject it returns “System.Diagnostics.EventLogEntry” and without using –asbaseObject , it returns an extended PS Object.

 

 

The last Parameter which we are going to use is –Index, this is basically a serialization of event log entries. Let me show you.

Let’s count how many log entries we do have in Application Log

 

(Get-EventLog -LogName Application).count

 

Now check, what is the last entry using –Index Parameter

 

Get-EventLog -LogName Application -Index 10209

 

 

Now let’s cross verify it using –newest parameter

Get-EventLog -LogName Application -Newest 1

 

You can see that, both entries are identical.

That’s all for today. See you in next blog Post.

Regards

Aman Dhally

     

Part–2 : Working with Event Logs using PowerShell :- Get-EventLog

 

In my previous blog post, i had tried to cover the basics of “Event Logs”, and in previous post we had also saw the use of “Show-EventLog” cmdlet.

There is no benefit of PowerShell if we are exploring “Event Logs” using GUI tools. So let’s start working on PowerShell console.

There are two main cmdlets in PowerShell those are use to get events from various  “Event Logs”, the first cmdlet  is “Get-EventLog” and the another one is “Get-WinEvent”.

The main difference between these two cmdlets are , The Get-EventLog works only with classic type of Event Logs and on other hand “Get-WinEvent” work with both type of event logs the classic one and the Applications and Service logs too.

Let’s see the use of “Get-EventLog” cmdlet.

Just for your information, I am using Windows 8, so might be you may see few extra event logs in my command outputs.

Let’s check which classic event logs are exists on my laptop. To check that, run the below command.

Get-EventLog -LogName *

You can see that , now we have a list of all classic event logs.

Let’ see the all events in Application Log,  run the below command. In the below command we are asking Get-Event log to give us the list of all event log entries is the event log name “Application”

Get-EventLog -LogName Application

But, when you run the above command , your PowerShell console will fill with lots-lots-lost of events.

This massive information is not much useful for us right now, what if ?I want to see the  newest 10 event log entries only.

You can do that, you can use –Newest parameter and provide the number of entries which you want to see.

In below command , we are asking Get-EventLog to show the newest 10 entries in the Event log.

Get-EventLog -LogName Application -Newest 10

If you want to see more details of the event log entries, you can use “Format-List” cmdlet to  format the output and show us full details of the event log entry.

Get-EventLog -LogName Application -Newest 10 | Format-List -Property *

If you remember, that in my previous blog post , i have mentioned about four type of log’s severity levels, information, warning, error, critical, Failure Audit and Success Audit , we can use those here too, just to a quick note, Get-EventLog cmdlet doesn’t support the Entry type Critical.

what if, you want to see the newest 10 events of  entry type Warning.

Get-EventLog -LogName Application –EntryType Warning -Newest 10

See how easy it is  

One last trick for today,

You can also define the the time period in After , before format in Get-Eventlog to see the event logs accordingly.

let see the Application’s event log entries  those are created after 11th Nov 2013

Get-EventLog -LogName Application -After 11/11/2013

If you want to see the event log entries those are created before a specific date, you can use –Before parameter.

Get-EventLog -LogName Application -Before 11/11/2013”

We also have the flexibility of searching event log entries in a specific time frame, You can use –After and –Before paramters to define a date range to search with-in.

“Get-EventLog -LogName Application  -After 7/11/2013  -Before 10/11/2013”

That’s all for today, see you in next post.

Part-1: Working with Event Logs using PowerShell.

Regards

Aman Dhally

 

     

Part-1: Working with Event Logs using PowerShell.

 

Hi,

I am planning to start a few post series on managing Event Logs with PowerShell.

I do believe that, it doesn’t matter ,which server application are you using or if you are troubleshooting any client’s desktop, when any problem arise, the first step for troubleshooting is the looking at “Event Logs”.

Event Logs is a best place to look for information about almost anything, either it is software, or system wide error, setup errors, booting time, etc. etc.

Event Logs are like a record keeper, it keeps the record of almost everything.

In PowerShell we have few “Cmd-lets” those are designed to work very well with Event Logs.

Now you can imagine all the possibilities by  working with Event Logs and PowerShell,  you can create a reports on Event Logs, you can filter the event logs data  right working on the PowerShell console, you don’t need to open “Event Viewer” to see any new event log, everything is available on the PowerShell console.

Before moving forward let’s take a quick look on basics of Event Logs.

There are two main category of event Logs

1. Classic Windows Event Logs
2. Applications and Services Logs.

Classic Windows Event Logs:

The logs  were also available on the previous version of the windows, that’s why it is known as Classic Logs. In the previous version (before vista) there are only Application Log, System Log and Security log were available, but in Vista, Microsoft added two new  logs,Setup Log and Forwarded Event log.

Application and Services Logs:

These are the new category of Logs, These logs store event from a single service/component for application and store it on a their independent log.

The Application and Service Logs has four type of Log category.

1. Admin
2. Operational
3. Analytic
4. Debug

For us (or me) , the most useful are Admin and Operational type of logs.

In Event logs, there are 4 types of event severity levels.

1. Information
2. Warning
3. Error
4. Critical

You may find 2 more types of severity level in Security Logs

1. Success Audit
2. Failure Audit

 

Where i can see the event logs?

If you want to See event logs in GUI, you can use “Eventvwr.msc” to open event viewer and you can see all logs there.

Can i open Event viewer using PowerShell.?

Surprisingly, Microsoft created a PowerShell cmdlet to open event viewer mmc.

Type  “Show-Event Log” in the PowerShell console and it will open a “Event Viewer” for you.

 

Cool ! Isn’t?

Take care, will meet in next blog Post.

 

Regards

Aman Dhally

 

     

MVP Community Day: November 9th, 2013, Saturday at Microsoft (Gurgaon)

 

Hi,

This Saturday is MVP Community day. We are doing 2 PowerShell events on that day.

One event is on “Start Using PowerShell for Managing MS SQL Server” by MVP Sarabpreet Singh Anand.

Second one is on "Managing Windows Event Logs Using PowerShell” by me. Please use the below link to register for the event.

Register here : https://www.eventbrite.ie/event/9156263631 

Session Details
Time	Session Topic	Presenter
9:30 – 10:00	Start of Registrations
10:00 – 11:00	Start using PowerShell for managing MS SQL Server”	Sarabpreet Singh Anand (MVP SQL )
11:00 – 11:15	Tea Break
11:15 – 12:15	“PowerShell and Event Logs” Managing Windows Event Logs using PowerShell	Aman Dhally (MVP PowerShell)

 See you at the event.

Registration Link : https://www.eventbrite.ie/event/9156263631 

Regards

Aman Dhally & Sarabpreet Singh Anand

http://newdelhipowershellusergroup.blogspot.in/

http://www.sarabpreet.com/

http://www.amandhally.net/