none
Powershell command to search Event Logs - date/ time and exclude specific Event ID's RRS feed

  • Question

  • Hello All, I have created a script that outputs to html using a css style sheet. I am now struggling to find how to exclude specific event id's and also is it possible to search for a specific time and date. for example; 



    Server 1 has had a SYSTEM error between 12.00am to 2.00am on date 13/01/2013. Is it possible to search this? 



    OR 



    Server 2 needs to get Event Logs from the night before and the morning so this will be between 8pm - 8am, this has no specific date it will manually be run. is there a way of getting this as a command? 



    below is what i am using at the moment and seems to be working well so far outputting in to html format. Thank you in advance 

    $Servers = "server1", "server2", "server3", "server4", "server5", "server6"

    $code1 = Get-EventLog security -Entrytype Error -computer $Servers -After (Get-Date).AddDays(-1) | select MachineName,EventID,TimeGenerated,EntryType,Message,Source | ConvertTo-HTML -Fragment

    $Servers = "server1", "server2", "server3", "server4", "server5", "server6"

    $code2 = Get-EventLog system -Entrytype Error -computer $Servers -After (Get-Date).AddDays(-1) | select MachineName,EventID,TimeGenerated,EntryType,Message,Source | ConvertTo-HTML -Fragment

    $Servers = "server1", "server2", "server3", "server4", "server5", "server6"

    $code3 = Get-EventLog application -Entrytype Error -computer $Servers -After (Get-Date).AddDays(-1) | select MachineName,EventID,TimeGenerated,EntryType,Message,Source | ConvertTo-HTML -Fragment

    ConvertTo-HTML -Body "$code1" Title "security Event Logs for Errors" -CssUri c:\style.css | Out-File c:\security_Event_Logs.html

    ConvertTo-HTML -Body "$code2" Title "System Event Logs for Errors" -CssUri c:\style.css | Out-File c:\System_Event_Logs.html

    ConvertTo-HTML -Body "$code3" Title "Application Event Logs for Errors" -CssUri c:\style.css | Out-File c:\Application_Event_Logs.html
    Tuesday, January 22, 2013 3:13 PM

Answers

All replies

  • Something like this?

    # example 1:
    # define events you're interested in
    $events = @(1111, 50)
    
    get-eventlog -logname system -entrytype error | select eventid, message| where-object {$events -contains $_.eventid}
    
    # the above will only match event IDs you want...
    
    
    #example 2
    #define events you are NOT interested in
    $events = @(1111,50)
    get-eventlog -logname system -entrytype error | select eventid, message| where-object {$events -notcontains $_.eventid}

    It seems like the time stuff you have worked out pretty well.  

    Hope this helps.


    G. Samuel Hays



    • Edited by G. Samuel Hays Tuesday, January 22, 2013 4:45 PM code coloring due to a single-quote
    Tuesday, January 22, 2013 4:44 PM
  • if the OP is using V3, there might be a quicker solution using get-winevent, which, as I understand it, has more detailed filtering capabilities than get-event where we typically accept all matching records into the pipeline and filter then with where-object.


    Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate.

    Tuesday, January 22, 2013 4:59 PM
  • thanks for your reply would it be possible to do a date and time search like this; 

    Get -winevent -logname $winlog -oldest | where-object {$_.time created -eq $date} 

    so would this be simplified for my search as 

    $date = [datetime] "7/6/2012 6:03:51 pm" 

    any help would be appreciated for search event logs through date and time. 

    Thursday, January 24, 2013 9:33 AM
  • Hi,

    I would like to suggest you also refer to the below article:

    Use PowerShell Cmdlet to Filter Event Log for Easy Parsing

    http://blogs.technet.com/b/heyscriptingguy/archive/2011/01/24/use-powershell-cmdlet-to-filter-event-log-for-easy-parsing.aspx

    Regards,

    Yan Li


    Cataleya Li
    TechNet Community Support

    Monday, January 28, 2013 5:47 AM
    Moderator