CaussyR
asked on
PowerSehll 3.0 Parse Event Logs
Hi everyone,
I have been searching for a PowerShell script that searched the Description part of the event log in the system logs. Therefore, if the description mentions 'fatal' but the event id were different, hence the need to search the description.
If anyone can assist very much grateful.
Thanks
I have been searching for a PowerShell script that searched the Description part of the event log in the system logs. Therefore, if the description mentions 'fatal' but the event id were different, hence the need to search the description.
If anyone can assist very much grateful.
Thanks
ASKER
Rather than state the location of the evt file, I need this similar to the below, which at the moment is not working :
Get-WinEvent -computername RAJC -Logname Security -max 10 | Select ID,Level,Message | Where-Object { $_.Message | findstr /C:"stopped"}
I am trying to get to a script where I can enter the hostname and key word to find then PS will check the necessary event log but for starters just need to parse the event log...
Thanks for your reply.
Get-WinEvent -computername RAJC -Logname Security -max 10 | Select ID,Level,Message | Where-Object { $_.Message | findstr /C:"stopped"}
I am trying to get to a script where I can enter the hostname and key word to find then PS will check the necessary event log but for starters just need to parse the event log...
Thanks for your reply.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tried the above but get-winevent didn't bring back any message data. Get-eventlog does bring back the message data. I would prefer to use get-winevent as this works a lot faster.
If I understood the question, you are trying to find events which contains spcific word i.e., fatal.
and it doesn't matters which event ID it is.
Try something like this.
Get-EventLog -LogName Application -Newest 10 | where{$_.Message -match "fatal"}
and it doesn't matters which event ID it is.
Try something like this.
Get-EventLog -LogName Application -Newest 10 | where{$_.Message -match "fatal"}
Get-WinEvent doesn't return any data?
Get-WinEvent -LogName system -MaxEvents 10 | where{$_.message -match "fatal"}
ASKER
So, when I run just : get-winevent -LogName System -MaxEvents 10 the Message data is not displayed.
Therefore, I think I need to use the invoke-command to run get-eventlog.
Therefore, I think I need to use the invoke-command to run get-eventlog.
are you trying to get result from remote computer? is remote management enabled on computer/s?
where exactly you are running the cmdlets? if the powershell console running as an "Administrator"
where exactly you are running the cmdlets? if the powershell console running as an "Administrator"
(get-winevent -LogName System -MaxEvents 10).Count
should display 10. If it doesn't, something is wrong. You are executing that on Vista or above?
should display 10. If it doesn't, something is wrong. You are executing that on Vista or above?
Are you by chance running this from a file and missing errors from the console?
ASKER
I am running Windows 7 Enterprise as an Administrator and I have tried running the query as a Domain Admin. I have enabled $PSRemoting on each server and when using (get-winevent -LogName System -MaxEvents 10).Count only returns the number 10 as expected and I did substitute .count to .message which also did not work.
PS3 allows that usuage of @(some collection).objectproperty
get-winevent System -max 10 | select message
returns something.
get-winevent System -max 10 | select message
returns something.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
$a = get-winevent -path [path to evt] -oldest nnn |
where-object {$_.message -match "fatal"}