Prof. Powershell

Get EventLog, The Sequel

Get-EventLog plays well in PowerShell 2.0, providing you with more information in a less confusing way.

• By Jeffery Hicks
• 11/17/2009

In PowerShell 1.0, managing event logs wasn't too difficult, assuming you only needed local information and nothing too specific. If you wanted to find all errors that had occurred in the system event log over the last 48 hours from a remote computer, it could be done. But it would be a complex PowerShell expression that you probably wouldn't get right the first time. I know I wouldn't.

Now that you're running PowerShell 2.0 -- if you're not, perhaps this week's tip will encourage you -- you'll be happy to see some major improvements to the Get-Eventlog cmdlet:

Get-EventLog [-LogName] <string> [[-InstanceId] <Int64[]>] [-After <DateTime>] [-AsBaseObject] [-Before <DateTime>] [-ComputerName <string[]>] [-EntryType <string[]>] [-Index <Int32[]>] [-Message <string>] [-Newest <int>] [-Source <string[]>] [-UserName <string[]>

The eventlog output is the same, but now I have many more options for more granular eventlog management. Let's go back to my original problem and here's how easy it is to do with a single PowerShell expression:

PS C:\> get-eventlog system -after (get-date).AddHours(-48) -EntryType Error,Warning -ComputerName JDHIT01

For this particular cmdlet, I don't need PowerShell installed at all on the remote computer; although I have to be running my local PowerShell sessions with admin credentials for the remote computer. The value for the -After parameter is returned by invoking the AddHours() method of a date-time object, which is intrinsically returned by Get-Date. I'm adding -48 hours to get the time 48 hours ago.

By the way, I always recommend testing commands like this locally first to verify the syntax. Then tweak the expression to connect to a remote computer.

This cmdlet is much more efficient now because it is filtering in-place as the collection is assembled. Compare that to what you needed in version 1.0, where you'd have to get all the event logs then process them using Where-Object.

I'll wrap up this lesson with a PowerShell one-liner you could run at the beginning of the day. It will go through a list of computers, get all errors and warnings for the last 12 hours and save the information to an HTML report:

PS C:\> get-eventlog system -After (get-date).AddHours(-12) -entryType Error,Warning -computername (get-content mycomputers.txt) | select MachineName,TimeWritten,EntryType,Source,Message | ConvertTo-HTML -Title "Event Log Report" -postContent " Prepared $(get-date)" | out-file EventLogReport.htm

You can pretty up the output by using a CSS file, but the real star of the show is the new and improved Get-Eventlog cmdlet.