CTP3 – Get-EventLog
No doubt there will be a mass of posts on the new features in CTP3 over the next weeks and months. What I want to try and do is concentrate on those features that are of most benefit to administrators. I am going to start with functionality to work with event logs. I have blogged a number of times about writing scripts to go beyond the get-eventlog of PowerShell version 1 – most of that functionality is now available as cmdlets. We now have a number of cmdlets for working with event logs:
We’ll start by looking at what is new in get-eventlog and then look at the others. Get-Eventlog brings a bunch of new parameters:
Parameters marked * are present in PowerShell v1
Note - I have deliberately left off the common parameters - -verbose etc etc.
One of the most obvious additions is the computername parameter – we can now work with logs on remote computers. We don’t need PowerShell remoting enabled for this.
Get-EventLog -List -ComputerName pcrs2
After and before allow us to view the log between two time bounds -
$d1 = (Get-Date).AddDays(-5)
$d2 = (Get-Date).AddDays(-2)
Get-EventLog -LogName system -After $d1 -Before $d2
Index enables us to access a particular entry. InstanceId means we can pick out a particular type of entry – note that instanceid is not necessarily the same as eventid.
Using Entrytype means we can select by the type of entry ie
Get-EventLog -LogName system -EntryType Error
With the source parameter we can filter based on the source used to write to the event log and –message allows us to select based on the message contents.
These new parameters enable us to interrogate the event logs in a much simpler manner – all of this can be performed in V1 but we need to pipe into where to perform the filtering – now we can do it in one pass in the cmdlet. Add this to the capability of accessing the logs on remote computers and we can really start to integrate the data across our server logs – for instance we can easily check the logs on a number of domain controllers for logins in a certain time frame.