locked
Event Log queries from Powershell RRS feed

  • Question

  • Hello,

    I am having a quite difficult time finding the exact information I am looking for in regards to the Get-WinEvent cmdlet. I did however figure out how to filter the information I wanted for the Get-EventLog cmdlet. I would like to retreive only Errors, Crititcal, and Warning events, and only those that have occured in the last 24 hours. I see lots of examples to get just logs that are not empty, sort by ID number, etc. I did read about how -FilterXML for the Get-WinEvent cmdlet. However each time I make my query, go to the XML tab on the Filter Current Log dialog box, copy the contents to the clip board and put them into a line to use the filter it fails. Each modification I have tried to use returns an error. If at all possible, I would like to filter this without using an XML so that way my successor can examine my code and update/modify as needed for different nodes. My environment is mixed with 2K3 DCs and 2K8 Hyper-V servers with bot Windows XP and Windows 7 clients. The purpose is just to return the entries in the System, and Application logs that basically suppress the information entries. The results will be sent via Out-File cmdlet with append where needed and attached to an e-Mail and sent to all individuals in my department. I can create the entire script once I figure out how to filter to suppress the information entries in the desired logs. Any and all help would be greatly appreciated. Here is a sample of what I have tried which doesn't seem to work properly.

    [Get-WinEvent -ComputerName "x.x.x.x." -logname Application | Where-Object ($_.DisplayName -eq "error"}]

    I get it to run, but it returns an Unauthorized Exception has occured. The execution policy I temporarily set to unrestricted to see if that was the issue, but to no avail.

     

    Thank you.

    Wednesday, November 9, 2011 11:55 PM

Answers

  • This will get all error and warning events for the past 24 hours:

    $yday = (Get-Date).AddDays(-1)
    Get-EventLog -LogName Application -ComputerName some-pc -After $yday -EntryType Error, Warning
    


    [string](0..9|%{[char][int](32+("39826578840055658268").substring(($_*2),2))})-replace "\s{1}\b"
    Thursday, November 10, 2011 5:23 AM

All replies

  • Only works from and to Vista or later OS machines.

    'Unauthorized' indicate that you are not an admin on the remote amchine.

    If you want further assistance you need to post your script and a copy of the exact and complete error message.

     

     

     


    jv
    Thursday, November 10, 2011 1:37 AM
  • This will get all error and warning events for the past 24 hours:

    $yday = (Get-Date).AddDays(-1)
    Get-EventLog -LogName Application -ComputerName some-pc -After $yday -EntryType Error, Warning
    


    [string](0..9|%{[char][int](32+("39826578840055658268").substring(($_*2),2))})-replace "\s{1}\b"
    Thursday, November 10, 2011 5:23 AM