{"id":15801,"date":"2011-01-25T00:01:00","date_gmt":"2011-01-25T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2011\/01\/25\/use-powershell-to-parse-saved-event-logs-for-errors\/"},"modified":"2011-01-25T00:01:00","modified_gmt":"2011-01-25T00:01:00","slug":"use-powershell-to-parse-saved-event-logs-for-errors","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-parse-saved-event-logs-for-errors\/","title":{"rendered":"Use PowerShell to Parse Saved Event Logs for Errors"},"content":{"rendered":"

 <\/p>\n

Summary<\/b>: Simplify Windows auditing and monitoring by using Windows PowerShell to parse archived event logs for errors.<\/p>\n

\"Hey,<\/p>\n

Hey, Scripting Guy! I have been using a scheduled job and a Windows PowerShell script to archive our event logs to .evt files. When I need to check something, I need to import the .evtx file in to Event Viewer so that I can search the file. This is a bit cumbersome, and I would like to find a better way to do this. What I really wish is that I could query the .evtx file in the same way that I query a live event log. I think I can use LogParser<\/b> to query the .evtx file, but I do not know what is up with that. It is more than six years old, and I hate to be dependent on something that is not in the operating system.<\/p>\n

— AH<\/p>\n

\"Hey, Hello AH, <\/p>\n

Microsoft Scripting Guy Ed Wilson here. I have written Hey, Scripting Guy! Blog posts and a TechNet Magazine<\/i> article about backing up event logs. However, until now, I have not written about parsing those event log files. By using the Get-WinEvent<\/b> cmdlet, it is as easy to parse an archived event log file as it is to parse an online log. <\/p>\n

To view the contents of an archived event log (it can be a .etl, .evt, or .evtx file), use the path<\/b> parameter to point to the archived file. This is illustrated here:<\/p>\n

\n

PS C:\\> Get-WinEvent -Path C:\\fso\\SavedAppLog.evtx<\/p>\n

TimeCreated                      ProviderName                  Id            Message<\/p>\n

———–                             ————                         –            ——-<\/p>\n

1\/15\/2011 9:09:11 AM       Outlook                            26           Connection to Microso…<\/p>\n

1\/15\/2011 9:08:54 AM       Outlook                            26           Connection to Microso…<\/p>\n

1\/15\/2011 9:05:46 AM       Office Software Prote…    1003       The Software Protecti…<\/p>\n

1\/15\/2011 9:04:51 AM       Office Software Prote…    1003        The Software Protecti…<\/p>\n

1\/15\/2011 8:37:59 AM       SceCli                                1704       Security policy in th…<\/p>\n

<Truncated Output><\/p>\n<\/blockquote>\n

If I need to filter out the content of the saved file, I will need to use the FilterHashTable<\/b> parameter. The FilterHashTable<\/b> parameter was discussed yesterday<\/a>. <\/p>\n

This can be a bit confusing. The use of the Path<\/b> and FilterHashTable<\/b> are exclusive. This is shown in the two command sets:<\/p>\n

\n

Get-WinEvent [-Path] <string[]> [-ComputerName <string>] [-Credential <PSCredential>] [-FilterX<\/p>\n

Path <string>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<CommonParameters>]<\/p>\n

Get-WinEvent -FilterHashTable <Hashtable[]> [-ComputerName <string>] [-Credential <PSCredential<\/p>\n

>] [-Force <switch>] [-MaxEvents <int64>] [-Oldest] [<CommonParameters>]<\/p>\n<\/blockquote>\n

When I use the FilterHashTable<\/b> parameter, I need to specify the provider, log, and other information via the hash table itself. To retrieve only Outlook event log entries from my saved application log, I specify the path to the log and the ProviderName<\/b> key values in the hash table. Because the saved log is an application event log, I do not need to specify a value for the LogName<\/b> key. The path to the saved log is the location (including the file name) of the stored log. The ProviderName<\/b> key is the source of the events. The following command lists all events from the Outlook provider on my computer. <\/p>\n

\n

PS C:\\> Get-WinEvent -FilterHashtable @{Path="C:\\fso\\SavedAppLog.evtx";ProviderName="outlook"}<\/p>\n

TimeCreated                        ProviderName                       Id           Message<\/p>\n

———–                               ————                              –           ——<\/p>\n

1\/15\/2011 9:09:11 AM         Outlook                                 26         Connection to Microso…<\/p>\n

1\/15\/2011 9:08:54 AM         Outlook                                 26         Connection to Microso…<\/p>\n

1\/15\/2011 8:28:00 AM         Outlook                                 45         Outlook loaded the fo…<\/p>\n

1\/14\/2011 11:28:43 PM       Outlook                                 45         Outlook loaded the fo…<\/p>\n

1\/14\/2011 10:49:24 PM       Outlook           &#160\n;                     54         An appointment has be…<\/p>\n

<Output Truncated><\/p>\n<\/blockquote>\n

In the event log entry shown in the following image, it quickly becomes obvious that the key values required for the FilterHashTable<\/b> <\/i>parameter and the values that show up in the graphical user interface do not match up. <\/p>\n

\"Image<\/a><\/p>\n

When working with the Get-WinEvent<\/b> Windows PowerShell cmdlet, I often find it helpful to consult the XML view of the event details. This view appears to have a bit more relevance. For example, I can tell that the Level: Information<\/b> of the event log entry (seen in the figure above) is the same as the level 4 that is displayed in the XML view shown in the following image.<\/p>\n

\"Image<\/a><\/p>\n

By consulting and matching the information, I compiled the table that follows to aid me in using the Get-WinEvent<\/b> Windows PowerShell cmdlet FilterHashTable<\/b> key values. <\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n

Event log viewer name<\/strong><\/p>\n<\/td>\n

\n

FilterHashTable parameter key name<\/strong><\/p>\n<\/td>\n<\/tr>\n

\n

Log Name<\/p>\n<\/td>\n

\n

LogName<\/p>\n<\/td>\n<\/tr>\n

\n

Source<\/p>\n<\/td>\n

\n

ProviderName<\/p>\n<\/td>\n<\/tr>\n

\n

Event ID<\/p>\n<\/td>\n

\n

ID<\/p>\n<\/td>\n<\/tr>\n

\n

Level<\/p>\n<\/td>\n

\n

Level<\/p>\n<\/td>\n<\/tr>\n

\n

User<\/p>\n<\/td>\n

\n

UserID<\/p>\n<\/td>\n<\/tr>\n

\n

Op Code<\/p>\n<\/td>\n

\n

*<\/p>\n<\/td>\n<\/tr>\n

\n

Logged<\/p>\n<\/td>\n

\n

*<\/p>\n<\/td>\n<\/tr>\n

\n

Task Category<\/p>\n<\/td>\n

\n

*<\/p>\n<\/td>\n<\/tr>\n

\n

Keywords<\/p>\n<\/td>\n

\n

*<\/p>\n<\/td>\n<\/tr>\n

\n

Computer<\/p>\n<\/td>\n

\n

N\/A use \u2013ComputerName<\/i> parameter<\/p>\n<\/td>\n<\/tr>\n

\n

Details<\/p>\n<\/td>\n

\n

Data<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

If I want to search for data that shows up in the Details portion of the Event properties, I must include the entire string, typed exactly as it appears. This is because the Data portion of the FilterHashTable<\/b> does not accept a wildcard character. Therefore, the command shown here will retrieve all of the Outlook events that have the message that states that \u201cConnection to Microsoft Exchange has been lost. Outlook will restore the connection when possible.\u201d<\/p>\n

\n

PS C:\\> Get-WinEvent -FilterHashtable @{Path="C:\\fso\\SavedAppLog.evtx";ProviderName="outlook";Data="<\/p>\n

Connection to Microsoft Exchange has been lost. Outlook will restore the connection when possible."}<\/p>\n

TimeCreated                         ProviderName     Id        Message<\/p>\n

———–                                ————            –        ——-<\/p>\n

1\/15\/2011 9:08:54 AM          Outlook               26      Connection to Microso…<\/p>\n

1\/7\/2011 3:46:52 PM            Outlook               26      Connection to Microso…<\/p>\n

12\/21\/2010 11:36:31 AM      Outlook               26      Connection to Microso…<\/p>\n

I can search for only event ID 26, as shown here, but the problem is that event ID 26 includes not only the connection lost but also the connection restored message detail. <\/p>\n

PS C:\\> Get-WinEvent -FilterHashtable @{Path="C:\\fso\\SavedAppLog.evtx";ProviderName="outlook";Id=26}<\/p>\n

TimeCreated                          ProviderName     Id       Mess\nage<\/p>\n

———– -                              ———–              –        ——-<\/p>\n

1\/15\/2011 9:09:11 AM           Outlook               26      Connection to Microso…<\/p>\n

1\/15\/2011 9:08:54 AM           Outlook               26      Connection to Microso…<\/p>\n

1\/7\/2011 3:48:13 PM             Outlook               26      Connection to Microso…<\/p>\n

1\/7\/2011 3:46:52 PM             Outlook               26      Connection to Microso…<\/p>\n

12\/21\/2010 11:36:39 AM       Outlook               26      Connection to Microso…<\/p>\n

12\/21\/2010 11:36:31 AM       Outlook               26      Connection to Microso…<\/p>\n

<Output Truncated><\/p>\n<\/blockquote>\n

This particular view into the event log is not too bad, because I can easily tell that my connection to the Microsoft Exchange Server lost connection on 1\/7\/2011 for a minute and 21 seconds (by subtracting the amount of time between connection lost and connection restored).<\/p>\n

If I want to determine the total number of disconnections during the course of my event log, I can pipe the results to the Measure-Object<\/b> cmdlet and divide the number by two (to account for connection lost and restored\u2014not precise, but better than typing out the entire text of the detail message).<\/p>\n

\n

PS C:\\> $count = Get-WinEvent -FilterHashtable @{Path="C:\\fso\\SavedAppLog.evtx";ProviderName="outloo<\/p>\n

k";Id=26} | Measure-object<\/p>\n

PS C:\\> $count.Count \/ 2<\/p>\n

131.5<\/p>\n

PS C:\\><\/p>\n<\/blockquote>\n

From looking at the above data, I can also surmise that one day, I lost connection and it was never restored. If I really cared, I could parse the data further to discover when that date occurred. <\/p>\n

In the ParseSavedEventLogsForErrors.ps1 script, I use the Get-ChildItem<\/b> cmdlet to retrieve all the saved event logs from a central location. I then use the Get-WinEvent<\/b> Windows PowerShell cmdlet to examine each saved log to look for errors in the log that occur between January 14, 2011, and January 15, 2011. This is an example of the type of script one might use to quickly peruse archived daily event logs. <\/p>\n

\n

ParseSavedEventLogsForErrors.ps1<\/strong><\/p>\n<\/blockquote>\n

\n

Get-ChildItem -include *.evt,*.evtx -Path c:\\fso -recurse |<\/p>\n

ForEach-Object {<\/p>\n

"Parsing $($_.fullname)`r`n"<\/p>\n

Try <\/p>\n

{ Get-WinEvent -FilterHashtable @{<\/p>\n

Path=$_.fullname<\/p>\n

Level=2;<\/p>\n

StartTime="1\/14\/2011" ;<\/p>\n

EndTime="1\/15\/2011"} -EA Stop}<\/p>\n

Catch [System.Exception] {"No errors in current log"}<\/p>\n

}<\/p>\n<\/blockquote>\n

As the script currently stands, the script does not accept input parameters<\/a> for the start time and end time or for the path to the stored logs, but that is an easy change to make. The Try\/Catch block<\/a> is required because an error is generated when an event log does not return any matching records. It is a non-terminating error, however, so I needed to specify the ErrorAction<\/b> (EA<\/b> is the parameter alias<\/a>) of stop<\/b> to cause the script to move into the catch block. <\/p>\n

When the script runs, the output that is shown in the following image appears on my computer.<\/p>\n

\"Image<\/a><\/p>\n

AH, that is all there is to using the Windows PowerShell Get-WinEvent<\/b> cmdlet to query offline event logs. Neglected Windows PowerShell Cmdlet Week will continue tomorrow. <\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post them on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

 <\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/b><\/p>\n","protected":false},"excerpt":{"rendered":"

  Summary: Simplify Windows auditing and monitoring by using Windows PowerShell to parse archived event logs for errors. Hey, Scripting Guy! I have been using a scheduled job and a Windows PowerShell script to archive our event logs to .evt files. When I need to check something, I need to import the .evtx file in […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[51,3,4,45],"class_list":["post-15801","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-getting-started","tag-scripting-guy","tag-scripting-techniques","tag-windows-powershell"],"acf":[],"blog_post_summary":"

  Summary: Simplify Windows auditing and monitoring by using Windows PowerShell to parse archived event logs for errors. Hey, Scripting Guy! I have been using a scheduled job and a Windows PowerShell script to archive our event logs to .evt files. When I need to check something, I need to import the .evtx file in […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/15801","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=15801"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/15801\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=15801"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=15801"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=15801"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}