Part-1: Working with Event Logs using PowerShell
Part–2 : Working with Event Logs using PowerShell :- Get-EventLog
Part–3 : Working with Event Logs using PowerShell :- Get-EventLog
Part–4 : Working with Event Logs using PowerShell :- Get-EventLog
Before I start writing article, I do want to wish you a very “Happy New year 2014”. I wish in this New Year, we all may manage to go home early, no server crashes, no cancelling of movie tickets or holidays because of our beloved core servers. No more waking up in late nights and no bugs is programs , no disk arrays crashes. ( do i am asking more? nope).
I have been very lazy in November and December because of lots of vacations and been busy with family.
It’s New Year and it’s time for me to start posting articles and blog post as the same pace like i was doing before.
This post is a part of our “Managing Event viewer using PowerShell” series.
Today We are going to use two best parameters of Get-WinEvent cmdlet. The first is –FilterHashTable and the second one is –FilterXML .
-FilterHashTable
We can query event logs by writing a small hash table filter query, it is a combination of key=value pair, and it is case sensitive, we can use the following keys.
· LogName
· ProviderName
· Path
· Keywords
· ID
· Level
· StartTime
· EndTime
· UserID
· Data
· *
Let’s create a small hash table to query DHCP log and try to find errors those are created within 2 months of time.
“
$twoMonths = (get-date).AddDays(-60)
Get-WinEvent -FilterHashtable @{
LogName='Microsoft-Windows-Dhcp-Client/Admin'
Level = 2
StartTime=$twoMonths
}
”
Simple isn’t ?
-FilterXML
We can also query Event logs using XML (if you love xml), to query in XML, we have to use the –FilterXML parameter.
Now the question arise, that we need to learn the XML first before using this parameter?, actually, NO!!!, we are allowed to do a little bit cheating here. Let me show how.
How to create a xml query filter for event logs?
1. To create a XML query filter, open Event viewer and click on the log, on which you want to run XML query later on.
2. Now Click on “Filter Current Log”
3.
4. Now choose, what you want to query and filter,
and I am creating a filter to create show me all logs those are created after 1st Nov 2013 and the type of level is “Error”.
5.
6. Now Click on XML tab, and copy all the text below.
7.
8. Now open your favourite PowerShell IDE, and type Get-WinEvent –FilterXML “ “ and type blank opening and closing Double Quotes.
9.
10. Now paste the XML text (which we copies from event Viewer) and paste it, in between the double quotes.
11. Replace all Double quotes in XML text to Single quotes.(you can do this before too, before pasting the XML data here”.
12.
13. Now your data should be looking like this.
14.
15. Now run the command and you can see the output below.
16.
Get-WinEvent -FilterXml "
<QueryList>
<Query Id='0' Path='Microsoft-Windows-Dhcp-Client/Admin'>
<Select Path='Microsoft-Windows-Dhcp-Client/Admin'>*[System[(Level=2) and TimeCreated[@SystemTime>='2013-11-01T08:24:06.000Z']]]</Select>
</Query>
</QueryList>
"
I hope you enjoyed this post.
See you in next blog post.
Regards
Aman Dhally
Is there anyway of dynamically building the query for -FilterXML based on user input? Say I want to search between a changeable number of dates without hardcoding them. I can't find a way of doing it...
ReplyDelete