Thursday, January 2, 2014

Part– 5 : Working with Event Logs using PowerShell :- Get-WinEvent

 

 

Part-1: Working with Event Logs using PowerShell

Part–2 : Working with Event Logs using PowerShell :- Get-EventLog

Part–3 : Working with Event Logs using PowerShell :- Get-EventLog

Part–4 : Working with Event Logs using PowerShell :- Get-EventLog

 

Before I start writing article, I do want to wish you  a very “Happy New year 2014”. I wish in this New Year, we all may manage to go home early, no server crashes, no cancelling of movie tickets or holidays because of our beloved core servers. No more waking up in late nights and no bugs is programs , no disk arrays crashes. ( do i am asking more? nope).

I have been very lazy in November and December because of lots of vacations and been busy with family.

It’s New Year and it’s time for me to start posting articles and blog post as the same pace like i was doing before.

This post is a part of our “Managing Event viewer using PowerShell” series.

Today We are going to use two best parameters of Get-WinEvent cmdlet. The first is –FilterHashTable and the second one is –FilterXML .

 

-FilterHashTable

We can query event logs by writing  a small hash table filter query, it is a combination of key=value pair, and it is case sensitive, we can use the following keys.

·         LogName

·          ProviderName

·         Path

·         Keywords

·         ID

·         Level

·         StartTime

·         EndTime

·         UserID

·         Data

·         *

Let’s create a small hash table to query DHCP log and try to find  errors those are created within 2 months of time.

 

$twoMonths = (get-date).AddDays(-60)

Get-WinEvent -FilterHashtable @{

 

    LogName='Microsoft-Windows-Dhcp-Client/Admin'

    Level = 2

    StartTime=$twoMonths

                                                                   

}

 

Simple isn’t ?

clip_image002

-FilterXML

We can also query Event logs using XML (if you love xml), to query in XML, we have to use the –FilterXML parameter.

Now the question arise, that we need to learn the XML first before using this parameter?, actually, NO!!!, we are allowed to do a little bit cheating here. Let me show how.

How to create a xml query filter for event logs?

1.       To create a XML query filter, open Event viewer and click on the log, on which you want to run XML query later on.

2.       Now Click on “Filter Current Log”

3.       clip_image004

4.       Now choose, what you want to query and filter,

       and I am creating a filter to create show me all logs those are created after 1st Nov 2013 and the type of level is “Error”.

5.       clip_image006

6.       Now Click on XML tab, and copy all the text below.

7.       clip_image008

8.       Now open your favourite PowerShell IDE, and type Get-WinEvent –FilterXML  “ “ and type blank opening and closing Double Quotes.

9.       clip_image009

10.   Now paste the XML text (which we copies from event Viewer) and paste it, in between the double quotes.

11.   Replace all Double quotes in XML text to Single quotes.(you can do this before too, before pasting the XML data here”.

12.   clip_image011

13.   Now your data should be looking like this.

14.   clip_image013

15.   Now run the command and you can see the output below.

16.   clip_image015

 

Get-WinEvent -FilterXml "

 

<QueryList>

  <Query Id='0' Path='Microsoft-Windows-Dhcp-Client/Admin'>

    <Select Path='Microsoft-Windows-Dhcp-Client/Admin'>*[System[(Level=2) and TimeCreated[@SystemTime&gt;='2013-11-01T08:24:06.000Z']]]</Select>

  </Query>

</QueryList>

 

"

clip_image017

I hope you enjoyed this post.

 

See you  in next blog post.

 

Regards

Aman Dhally

clip_image001 clip_image002 clip_image003 clip_image005  clip_image007

 

1 comment:

  1. Is there anyway of dynamically building the query for -FilterXML based on user input? Say I want to search between a changeable number of dates without hardcoding them. I can't find a way of doing it...

    ReplyDelete

Note: Only a member of this blog may post a comment.