Powershell has a cmdlet you can use to check/query the windows event log. You can customize this cmdlet in several ways to refine the information that is returned.
For example, you can use the -after switch to only return event log entries after a certain date - such as events only returned within the past 1 day (24 hours)
You can also filter the type of entries that are returned. An example would be to only return warning or error entries, and ignore any "informational" type entries
Let's start with the basic command;
get-eventlog -logname "Application"
This command will return all entries within the Application log, which will usually be alot, and not very useful. You can also use "System" or "Security" as other default logs.
Let's refine the command further, to only return entries for the past day. To do this we will define the current date into the $date variable, and subtract one day from that value
$date = get-date
$date = $date.adddays(-1)
We can now use this $date variable to return all event log entries AFTER this date (using the -after switch)
get-eventlog -logname "Application" -after $date
The script will now return ALL events from the Application log from the past 24 hours. Let's refine it a bit further and filter the results so only Warning and Errors are returned
get-eventlog -logname "Application" -after $date | where-object {$_.entrytype -ne "Information"}
Of course you can store the results into a variable so it can be further queried using subsequent commands;
$events = get-eventlog -logname "Application" -after $date | where-object {$_.entrytype -ne "Information"}
No comments:
Post a Comment