Using PowerShell Put Some Power in Your Event Logs.

Using the GUI to scan your event logs can take some time. Find it faster with a Get-EventLog cmdlet.

By Jeffery Hicks

Managing event logs using the standard GUI management tools is often cumbersome, especially when you’re trying to find specific information in a large log file. Fortunately, PowerShell is a champ at working with event logs using the Get-Eventlog cmdlet. The cmdlet has more features than I have space to cover in a such a short column, but let me show you how to use it to display a boot history for a given computer.

Typically when a computer system starts up, Event ID 6005 is recorded, indicating that the Event log service has started. By finding all instances of this event, you can get a pretty good idea when a server was started up. This isn’t a foolproof method, but I want to demonstrate something practical using the Get-Eventlog cmdlet.

Here’s the expression and a sampling of the output. Normally the expression would all be on one line. I’ve broken the expression up for formatting purposes:

PS C:\> get-eventlog -logname system ‘
>> where {$_.eventid -eq 6005} ‘
>> select -property message,timegenerated
>>
Message TimeGenerated——- ————-
The Event log service was started. 11/17/2006 10:08:33 AM
The Event log service was started. 11/17/2006 8:11:03 AM
The Event log service was started. 11/15/2006 10:49:24 AM
The Event log service was started. 11/14/2006 1:49:55 PM
The Event log service was started. 11/10/2006 3:54:37 PM

The expression asks the Get-Eventlog cmdlet to get all records of the system event log. The output is then filtered by the Where-Object cmdlet so that it returns records where the event ID is 6005. Finally, since I’m primarily interested in the time when the log was created, I pipe the result through the Select-Object cmdlet to display only the message and time generated properties. The resulting table indicates approximately all the times this server was started. I’m sure you can think of many ways to enhance or modify this expression to pull out other information from the event logs using PowerShell. I’ll be visiting this topic again in the future.

Comment: http://mcpmag.com/columns/article.asp?EditorialsID=1632#post

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: