CTP3 – Get-EventLog

No doubt there will be a mass of posts on the new features in CTP3 over the next weeks and months.  What I want to try and do is concentrate on those features that are of most benefit to administrators. I am going to start with functionality to work with event logs.  I have blogged a number of times about writing scripts to go beyond the get-eventlog of PowerShell version 1 – most of that functionality is now available as cmdlets.  We now have a number of cmdlets for working with event logs:

Clear-EventLog
Get-EventLog
Limit-EventLog
New-EventLog
Remove-EventLog
Show-EventLog
Write-EventLog

We’ll start by looking at what is new in get-eventlog and then look at the others.  Get-Eventlog brings a bunch of new parameters:

* LogName
ComputerName
* Newest
After
Before
UserName
InstanceId
Index
EntryType
Source
Message
AsBaseObject
* List
* AsString

Parameters marked * are present in PowerShell v1

Note – I have deliberately left off the common parameters -  -verbose etc etc.

One of the most obvious additions is the computername parameter – we can now work with logs on remote computers.  We don’t need PowerShell remoting enabled for this.

Get-EventLog -List -ComputerName pcrs2

After and before allow us to view the log between two time bounds -

$d1 = (Get-Date).AddDays(-5)
$d2 = (Get-Date).AddDays(-2)
Get-EventLog -LogName system -After $d1 -Before $d2

Index enables us to access a particular entry.  InstanceId means we can pick out a particular type of entry – note that instanceid is not necessarily the same as eventid.

Using Entrytype means we can select by the type of entry ie

Error
Warning
Information
SuccessAudit
FailureAudit

such as

Get-EventLog -LogName system -EntryType Error

With the source parameter we can filter based on the source used to write to the event log and –message allows us to select based on the message contents.

These new parameters enable us to interrogate the event logs in a much simpler manner – all of this can be performed in V1 but we need to pipe into where to perform the filtering – now we can do it in one pass in the cmdlet.  Add this to the capability of accessing the logs on remote computers and we can really start to integrate the data across our server logs – for instance we can easily check the logs on a number of domain controllers for logins in a certain time frame.

 

Technorati Tags: ,,

 

About these ads
This entry was posted in Powershell. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s