Solved

PowerSehll 3.0 Parse Event Logs

Posted on 2014-01-08
15
765 Views
Last Modified: 2014-01-14
Hi everyone,

I have been searching for a PowerShell script that searched the Description part of the event log in the system logs.  Therefore, if the description mentions 'fatal' but the event id were different, hence the need to search the description.

If anyone can assist very much grateful.

Thanks
0
Comment
Question by:CaussyR
  • 4
  • 4
  • 4
  • +2
15 Comments
 
LVL 12

Expert Comment

by:David Paris Vicente
ID: 39765083
Something like this?

$a = get-winevent -path [path to evt] -oldest nnn |
  where-object {$_.message -match "fatal"}
0
 

Author Comment

by:CaussyR
ID: 39765127
Rather than state the location of the evt file, I need this similar to the below, which at the moment is not working :

Get-WinEvent -computername RAJC -Logname Security -max 10 | Select ID,Level,Message | Where-Object { $_.Message | findstr /C:"stopped"}

I am trying to get to a script where I can enter the hostname and key word to find then PS will check the necessary event log but for starters just need to parse the event log...

Thanks for your reply.
0
 
LVL 18

Accepted Solution

by:
Steven Harris earned 167 total points
ID: 39765166
What is the error received on your code?  Perhaps:

Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized
operation..
>

Now try this:

Get-WinEvent -computername RAJC -Logname Application -maxEvents 10 | 
Select ID,Level,Message | Where-Object { $_.Message | findstr /C:"stopped"}

Open in new window


What error do you get (if any)?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 69

Assisted Solution

by:Qlemo
Qlemo earned 167 total points
ID: 39765181
Don't use findstr here, that involves a lot of overhead.
For local events, filtering at client side is ok, or if you only parse a few records:
Get-WinEvent -LogName System | ? { $_.Message -like '*stopped*' } | select ID, Level, Message

Open in new window

For remote logs you should try to create a filter XML via the EventLog viewer, and use that filter string in Get-WinEvent -FilterXML, to allow for filtering on the remote machine.
0
 

Author Comment

by:CaussyR
ID: 39765284
I tried the above but get-winevent didn't bring back any message data.  Get-eventlog does bring back the message data.  I would prefer to use get-winevent as this works a lot faster.
0
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 39765357
If I understood the question, you are trying to find events which contains spcific word i.e., fatal.
and it doesn't matters which event ID it is.

Try something like this.

Get-EventLog -LogName Application -Newest 10 | where{$_.Message -match "fatal"}
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 39765665
Get-WinEvent doesn't return any data?
0
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 39765899
Get-WinEvent -LogName system -MaxEvents 10 | where{$_.message -match "fatal"}
0
 

Author Comment

by:CaussyR
ID: 39766555
So, when I run just : get-winevent -LogName System  -MaxEvents 10 the Message data is not displayed.

Therefore, I think I need to use the invoke-command to run get-eventlog.
0
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 39766566
are you trying to get result from remote computer? is remote management enabled on computer/s?
where exactly you are running the cmdlets? if the powershell console running as an "Administrator"
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 39766627
 (get-winevent -LogName System  -MaxEvents 10).Count
should display 10. If it doesn't, something is wrong. You are executing that on Vista or above?
0
 
LVL 18

Expert Comment

by:Steven Harris
ID: 39766648
Are you by chance running this from a file and missing errors from the console?
0
 

Author Comment

by:CaussyR
ID: 39767261
I am running Windows 7 Enterprise as an Administrator and I have tried running the query as a Domain Admin. I have enabled $PSRemoting on each server and when using  (get-winevent -LogName System  -MaxEvents 10).Count only returns the number 10 as expected and I did substitute .count to .message which also did not work.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 39767406
PS3 allows that usuage of @(some collection).objectproperty, but PS2 does not. W7 by default uses PS2. That is the only possible reason I can find. If I'm correct,
 get-winevent System -max 10 | select message
returns something.
0
 
LVL 12

Assisted Solution

by:Vaseem Mohammed
Vaseem Mohammed earned 166 total points
ID: 39767571
since you are trying to retrieve logs from remote computer you need to provide the name of computer in -ComputerName Parameter.

For one server use
Get-WinEvent -ComputerName <your srv name> -LogName system -MaxEvents 10

Open in new window

Replace <your srv name> with the name of server
once your get some data then use to filter
Get-WinEvent -ComputerName <your srv name> -LogName system -MaxEvents 10 | where{$_.message -match "fatal"} 

Open in new window

0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question