Programming corner wildboy85: powershell windows eventlog filter

Here is a little powershell line to filter events in powershell:

SYSTEM is the group the event is in
PROVIDERNAME is the category / type
MESSAGE is the content / description of the event
(change the keywords as needed)

# find reboots

Get-WinEvent -LogName System -MaxEvents 10000 | Where-Object {$_.providername -like "*kernel*" -and $_.Message -like "*démarré*"} | format-table Timecreated, Leveldisplayname, message -auto -wrap

# isolate a day to find the cause of the reboot
Get-WinEvent -LogName System -MaxEvents 10000 | Where-Object {$_.timecreated -le "2018-04-19" -and $_.timecreated -gt "2018-04-18 14:00:00"} | format-table Timecreated, Leveldisplayname, message -auto -wrap

remote version:
$machine01 = ""
$login01 = "compagny\user"
$password01 = "usuallydonotputpasswordofadmininascript"

$Credential= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $login01,($password01 | ConvertTo-SecureString -AsPlainText -Force)

#Get-WinEvent -Credential $Credential -ComputerName $Machine01 -LogName System -MaxEvents 5000 | Where-Object {$_.providername -like "*kernel*" -and $_.Message -like "*démarré*"} | format-table Timecreated, Leveldisplayname, message -auto -wrap

# isolate a day
Get-WinEvent -LogName System -MaxEvents 1500 -Credential $Credential -ComputerName $Machine01 | `
Where-Object {$_.timecreated -le "2018-05-01" -and $_.timecreated -gt "2018-04-14 14:00:00" -and $_.message -like "*vid*"} | `
format-table Timecreated, Leveldisplayname, message -auto -wrap

Programming corner wildboy85

Tuesday, April 24, 2018

powershell windows eventlog filter

No comments:

Post a Comment