PowerShell Event ID Searching

PowerShell Event ID Searching

Q: Using Windows PowerShell, how can I search for a specific event ID from the Event Log across multiple machines?

A: PowerShell has the Get-EventLog cmdlet, which is the typical way to get information about events on a system. However, there is no parameter to search for specific event IDs.

The key is to narrow down the event logs, then search for the specific required event ID. For example, I had a case where I needed to find all the policy changes for System Center Endpoint Protection. The events I was looking for were all event ID 5007 and were of type Informational and were sourced from Microsoft Antimalware. I also knew the time period I wanted. I therefore used Get-EventLog to narrow down the returned event logs:

Get-EventLog -LogName System -EntryType Information -After 6/6/2013 -Source "Microsoft Antimalware"

I then passed the output of this to a search for specific event ID 5007 and then formatted as a list:

Get-EventLog -LogName System -EntryType Information -After 6/6/2013 -Source "Microsoft Antimalware" | Where-Object {$_.EventID -eq 5007} | fl

This gave me exactly what I needed for my current server. I then used Invoke-Command to run this across a 16-node cluster:

Invoke-Command -scriptblock {Get-EventLog -LogName System -EntryType Information -After 6/6/2013 -Source "Microsoft Antimalware" | Where-Object {$_.EventID -eq 5007} | fl } -computername node1, node2, node 3

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish