Tinus EngOps Wiki
OpsaC - Operating as PowerShell code
Links
Home PowerShell Blog PowerShell Index PowerShell SearchAdditional Websites
View my GitHub Profile View my GitHub Gists View Tinus IT Wiki View my Photo WebsiteRead and write Eventlog
published: May 24, 2019 author: Tinu tags: PowerShell categories: PowerShell-Eventlog
Table of Contents
Read from Eventlog
We known two Eventlogs, Windows (classic) Logs and Application and Services Logs.
Windows Logs
The cmdlets that contain the EventLog noun (the EventLog cmdlets) works only on classic event logs such as Application, System, Setup, and Security.
$params = @{
LogName = 'Application'
Newest = 10
}
Get-EventLog @params
Application and Services Logs
To get events from logs that use the Windows Event Log technology in Windows Vista and later versions of the Windows operating system, use the Get-WinEvent cmdlet.
Filter on LogName
$params = @{
LogName = 'Microsoft-Windows-PowerShell/Operational'
MaxEvents = 10
}
Get-WinEvent @params | Select-Object TimeCreated,Id,LogName,ProviderName,Message
Filter on ProviderName
$params = @{
ProviderName = 'Microsoft-Windows-WindowsUpdateClient'
MaxEvents = 10
}
Get-WinEvent @params | Select-Object TimeCreated,Id,LogName,ProviderName,Message
Filter on Ids
$params = @{
LogName = 'Microsoft-Windows-PowerShell/Operational'
Id = 4104, 4103, 4688, 7045
}
Get-WinEvent -FilterHashtable $params | Select-Object TimeCreated,Id,ProviderName,Message
Filter on Dates
$params = @{
LogName = 'Microsoft-Windows-PowerShell/Operational'
StartTime = (Get-Date).AddDays(-1)
EndTime = Get-Date
}
Get-WinEvent -FilterHashtable $params | Select-Object TimeCreated,Id,ProviderName,Message
Write your own ProviderName
You can write your own ProviderName (EventsourceName). Before that, test if the EventsourceName already exists.
Test EventsourceName
function Test-MWAEventsourceName{
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[String] $EventsourceName
)
$ret = $false
try{
$ret = [System.Diagnostics.EventLog]::SourceExists($EventsourceName)
}
catch{
$Error.Clear()
}
return $ret
}
Test-MWAEventsourceName -EventsourceName 'MWA-PowerShell-Automation'
Write new EventsourceName
# run as administrator
$eventlogname = 'Application'
$providername = 'MWA-PowerShell-Automation'
New-EventLog –LogName $eventlogname –Source $providername
Write to Eventlog
$eventlogname = 'Application'
$providername = 'MWA-PowerShell-Automation'
Write-EventLog –LogName $eventlogname –Source $providername –EntryType Information –EventID 1024 –Message 'Test new ProviderName'
Remove your EventsourceName
Run as administrator
$providername = 'MWA-PowerShell-Automation'
[System.Diagnostics.EventLog]::DeleteEventSource($providername)
Restart History
Create a restart history
$LastBootupTime = (Get-CimInstance Win32_OperatingSystem).LastBootupTime
[DateTime]$StartTime = $LastBootupTime.AddHours(-1)
[DateTime]$EndTime = $LastBootupTime.AddHours(1)
Write-Host "LastBooupTime $(Get-Date $LastBootupTime -f 'yyyy-MM-dd HH:mm:ss')"
EventLog Service messages:
Get-WinEvent -FilterHashtable @{
Logname = 'System'
StartTime = $StartTime
EndTime = $EndTime
} | Where Id -match '600\d' | Select TimeCreated,Id,Message,ProviderName | Format-Table
Application.exe has initiated the restart of computer:
$RestartyApplication = Get-WinEvent -FilterHashtable @{
Logname = 'System'
StartTime = $StartTime
EndTime = $EndTime
} | Where Id -match '1074' | Select TimeCreated,Id,Message,ProviderName
foreach($item in $RestartyApplication){
if($_.Message -match 'CCM\\TSManager\.exe'){
$message = "Restarted by System Center Configuration Manager"
}elseif($_.Message -match 'VMware Tools\\vmtoolsd.exe'){
$message = "Restarted by VMware Tools (API)"
}else{
$message = $_.Message
}
[PSCustomObject]@{
TimeCreated = $item.TimeCreated
EventId = $item.Id
Message = $message
ProviderName = $item.ProviderName
}
}
See also
How to Use PowerShell to Write to Event Logs on devblogs.microsoft.com