I am trying to get the the last 10 events in the «EventLog» logs «Application», «Security» and «System» parallelly. I get an error with this message:
Get-EventLog : Cannot convert 'System.Object[]' to the type 'System.String' required by parameter 'LogName'"
when running the script. The script works when running with only the logname "Application".
Get-Eventlog -Newest 10 -LogName "Application","Security","System"
"Application","Security","System" | ForEach-Object {
Get-Eventlog -Newest 10 -LogName $_
}
That will get you the 10 most recent events in each log. If you want the 10 most recent events of all three logs taken together, you will need to do this:
"Application","Security","System" | ForEach-Object {
Get-Eventlog -Newest 10 -LogName $_
} | Sort-Object -Property Time -Descending | Select-Object -First 10
You can't do it the way you are trying, as -LogName requires a string and you are passing an array.
You could accomplish your task by piping an array into a ForEach-Object and going through the logs one at a time. The %{} is an alias for ForEach-Object
"Application","Security","System" | %{Get-Eventlog -Newest 10 -LogName $_}
Get-eventlog has been replaced by get-winevent. You'd still have to use foreach to get 10 of each. Grouping by logname instead of providername might be less annoying.
echo Application,Security,System | % { get-winevent $_ -maxevents 10 } |
ft -groupby logname
Related
How to display certain lines from a message?
Get-EventLog -LogName Application -EntryType Error -Newest 10 -Message "*3CXPhone.exe*" |
Format-Table -wrap
Specifically in my example, I want to display only 1,2 and 7,8 rows. How to do it?
See my example
Something like this should do it:
$lines = Get-EventLog -LogName Application -EntryType Error -Newest 10 -Message "*.exe*"
for($i=1;$i -lt 10;$i++){
switch ($i)
{
1 {$lines[$i]}
2 {$lines[$i]}
7 {$lines[$i]}
8 {$lines[$i]}
}
}
So basically you create an array $lines. And use a counter $i , to match the counter to the index of the array.
Get-EventLog -LogName Application -EntryType Error -Newest 10 -Message "*.exe*" | where {$_.Message -like '*.exe*'} | Format-Table -wrap
Is there any way to filter event log entries using PowerShell before retrieving them?
i.e.
Instead of:
[string[]]$IgnoredSources = 'SomeValue','SomeOtherValue'
Get-Eventlog -LogName $MyLog -ComputerName $MyComputer `
| ?{$IgnoredSources -notcontains $_.Source} `
| Sort-Object TimeGenerated -Descending `
| Select-Object -First 10
Something like:
Get-Eventlog -LogName $MyLog -ComputerName $MyComputer `
-Filter {(Source -ne 'SomeValue') -and (Source -ne 'SomeOtherValue')} `
-Newest 10
More info
I'm aware that I can add a where-object statement to filter the results pulled back; but that's less efficient than filtering on the server side, and means that commands such as -Newest 100 won't necessarily return 100 results once filtered (i.e. I'd have to pull back the entire event log to ensure that I'd get the latest
I'm also aware that for dates this is possible via the -After and -Before attributes, and that it's possible to provide a list of -Username's and -Source's to limit to those. However if I want to exclude 1 source, or filter on a range of event ids, there seems to be no way at present.
I've looked into using Get-WmiObject instead of Get-EventLog, but whilst this allows the filtering to take place server side, I couldn't determine a way to limit the number of results returned (i.e. returned to my machine before sorting then using select-object's -first to then filter down the results).
Get-WmiObject Win32_NTLogEvent -ComputerName $MyComputer `
-filter "(logfile='$MyLog') and (sourcename != 'SomeValue') and (sourcename != 'SomeOtherValue') " `
| Sort-Object TimeGenerated -Descending `
| Select-Object -First 10
How about Get-WinEvent? Something like this:
Get-WinEvent -ComputerName $MyComputer -MaxEvents 100 -FilterHashtable #{
LogName=$MyLog;
ID=$MyID;
<# etc. #>
}
Is there a way to pull the most recent 3 error events from the System event log using Get-WMIObject and the win32_ntlogevent class?
$log = Get-WMIobject -ComputerName $server -Credential $cred -class win32_ntlogevent -filter "(logfile='system') AND (type='error')"
I know that Get-EventLog has a -Newest option but I don't see anything like that with WMI
Figured it out
$log | sort TimeGenerated | select -last 3
Don't use WMI for this. Your approach will retrieve all error events from the remote host (which could take quite some time), and then discard all but the latest 3 once you have everything on the local host. Use Get-EventLog and do the filtering at the source:
Get-EventLog -LogName 'System' -EntryType 'Error' -Newest 3
I don't think Wmi query supports limiting the results.
If you are desperate to use your command here is a most inefficient way of getting your expected output -
Get-WMIobject win32_ntlogevent -filter "(logfile='system') AND (type='error')" | select -first 3
Cheers,
G
Get-EventLog -LogName 'System' -EntryType 'Error' -Newest 3
WMI is the far more efficient way, and it returns the log name
$dt = $cdt = Get-Date;$CUmonth = (get-date).adddays(-30);$eventId = Get-EventLog -ComputerName $SystemlogFqdn -LogName 'System' -EntryType 'Error','Warning' -After $CUmonth;"GetMethod: $((New-TimeSpan $dt ($dt = get-date)).totalseconds)"
GetMethod: 163.585552
$dt = $cdt = Get-Date;PS C:\Users\User> $CUmonth = (get-date).adddays(-30);PS C:\Users\User> $eventID = Get-WmiObject Win32_NTLogEvent -ComputerName $SystemlogFqdn -filter "(logfile='system' AND Type <> 'Information' AND TimeWritten >= '$CUmonth')";PS C:\Users\User> "WMIMethod: $((New-TimeSpan $dt ($dt = get-date)).totalseconds)"
WMIMethod: 63.49941
I currently have the code below:
Get-EventLog -LogName Application
| Where-Object EventID -EQ 1033
| Select-Object EventID, Message
So my question is how can I just show the first 10 characters of the Message?
Use the substring method on your message property.
Get-EventLog -LogName Application | Select-Object EventID, #{Label='Message';Expression={$_.Message.Substring(0,10)}}
Just as a follow up:
Get-EventLog -LogName Application
| Where-Object EventID -EQ 1033
| Select-Object EventID, #{l="Message";e={$_.message.substring(0,10)}}
I'm new to PowerShell and I am trying to get recent events for a group of logs (right now application and system for testing purposes).
What's missing is a column in the final output showing the log the event came from.
I tried piping the output before the format-table to get member to see if there was a property that contained the logname and there doesn't seem to be one.
Is there a workaround to get this?
What I have right now is:
"application", "system" | foreach { Get-EventLog -LogName $_ -Newest 10 } | sort time -Descending | ft timegenerated, LogName, source, message -wrap -AutoSize
This is what I want, but the LogName column is blank because there's no such property.
Someone may be able to clean this up a little, but you could try this:
"application", "system" | foreach { $events = Get-EventLog -LogName $_ -Newest 10; $events | Add-Member -MemberType NoteProperty -Name LogName -Value (Get-Culture).TextInfo.ToTitleCase($_); $events } | sort timegenerated -Descending | ft timegenerated, LogName, source, message -wrap -AutoSize
I fixed the sort command(typo) and format the logname as proper(uppercase first letter) to clean it up.