Working with Windows Event Logs in PowerShell

1
votes

I have a script to read the last 30 entries for the Application and System event logs, currently the scripts only works on my machine and only outputs a partial message (see below for example).

411905 May 05 15:05 Information Microsoft-Windows... 1501 The Group Policy settings for the user were processed successfully. There were no changes detected since the last succ...

Can anyone tell me how the following can be done

  1. use this for remote computers - I have tried entering the computer name in the format of \domain\computername but is doesn't work
  2. How I can display the full message and not just a section
  3. How I can save the file with the computer name as part of the file name e.g. "mycomputer application log.txt"

My script so far is like this

Get-EventLog -LogName Application -Newest 30  -ComputerName MYCOMPUTER | Out-File -FilePath "D:\Test\Application Event Logs.txt" 

Get-EventLog -LogName System -Newest 30 -ComputerName MYCOMPUTER | Out-File -FilePath "D:\Test\System Event Logs.txt"

I am new to scripting and thought this could be a useful script to have but I can't get it to work.

1
powershellevent-log

1 Answers

3
votes

Remote Computers

If you mean computers in another domain, then I don't think you can using the cmdlet alone.

Instead, you can use PowerShell remoting to run any powershell commands that exist on the remote computer. But you have to set up remotin gon the remote machine, and use SSL or trusted hosts, with explicit credentials to ensure the connection will be allowed:

$credential = Get-Credential # enter credentials for remote machine
$session = New-PSSession -ComputerName REMOTECOMPUTER -Credential $credential
Invoke-Command -Session $session -ScriptBlock {
    Get-EventLog # parameters
}

The Full Text

It's important to note that what is returned by Get-WinEvent is a complex object. What you see when it's displayed on the screen is just a view. Writing it out to a file directly will also be just a view. Instead, explicitly figure out what you want, build a string, and then write it to a file.

Start by assigning the result of the cmdlet to a variable so that you can inspect it:

$events = Get-WinEvent #params

Now you can look at the results:

$events | Get-Member  # see what properties are available

So then you can see that Message is a property.

To get just the message, you can use Select-Object and since you want it as a string and not a property, you -ExpandProperty:

$events | Select-Object -ExpandProperty Message | Out-File #etc

That would write out all the messages (but no other info).

In practice, you might want to operate on each log entry returned and build your string to write to the file:

$events | ForEach-Object {
    # $_ represents the current object
    $msg = $_.Message
    $id = $_.Id
    $timeCreated = $_.TimeCreated

    "A log entry with ID $id was created at $timeCreated, and it says:`r`n`r`n$msg`r`n---------`r`n"
} | Out-File #params

Using the Computer Name

Assuming you know the computer name you're checking in advance, put it in a variable, then embed it in the file name:

$computer = 'MYCOMPUTER'
Get-WinEvent -ComputerName $computer | ForEach-Object {
    # do stuff like above
} | Out-File -Path "D:\Whatever\$computer Application Log"