17

I'm trying to quickly show all events from the last ~day in window's event log which contain a certain string in power shell.

I've found powershell commands for listing events, but I basically want to "GREP" them for specific text.

I need to use powershell because the target is Windows Server 2016 Hyper-V but I think it would also be quite useful to be able to quickly search recent events on any machine with powershell.

To show available logs, I run:

PS C:\Users\Administrator> Get-EventLog -List

 Max(K) Retain OverflowAction Entries Log ------ ------ -------------- ------- --- 20,480 0 OverwriteAsNeeded 1,113 Application 20,480 0 OverwriteAsNeeded 0 HardwareEvents 512 7 OverwriteOlder 0 Internet Explorer 20,480 0 OverwriteAsNeeded 0 Key Management Service 512 7 OverwriteOlder 1,539 Microsoft-ServerManagementExperience 20,480 0 OverwriteAsNeeded 28,667 Security 20,480 0 OverwriteAsNeeded 4,857 System 15,360 0 OverwriteAsNeeded 3,654 Windows PowerShell

In this example, my target Log is called Application

I can print the last 24 hours of log to console with:

Get-EventLog -LogName system -after (Get-Date).AddDays(-1)

I tried filtering the output using Select-String but that never matched any lines.

Improve this question

3 Answers 3

Reset to default
11

Here's what I ended up doing. It searches the value of several event properties for the text and shows them on the console:

$search = "hyper" Get-EventLog -LogName system -after (Get-Date).AddDays(-1) | Where-Object { $_.Category.ToLower().Contains($search.ToLower()) -or $_.Message.ToLower().Contains($search.ToLower()) -or $_.Source.ToLower().Contains($search.ToLower())} | Format-Table -AutoSize -Wrap

Example Output:

 Index Time EntryType Source InstanceID Message ----- ---- --------- ------ ---------- ------- 4751 Aug 10 09:13 Information Microsoft-Windows... 23 NIC /DEVICE/{FD82EC81-DC0D-4655-B606-0AA9AF08E6CC} (Friendly Name: Microsoft Hyper-V Network Adapter) is now operational. 4750 Aug 10 09:13 Information Microsoft-Windows... 11 The description for Event ID '11' in Source 'Microsoft-Windows-Hyper-V-Netvsc' cannot be found. The local computer may not have the necessary registr... 4749 Aug 10 09:13 Information Microsoft-Windows... 24 NIC /DEVICE/{FD82EC81-DC0D-4655-B606-0AA9AF08E6CC} (Friendly Name: Microsoft Hyper-V Network Adapter) is no longer operational.

I'm new to powershell so it might not be the best way but it works. I hope it will save someone else some time.

Improve this answer
4

This would search all logs for a certain string in a certain time period. It can't be done in event viewer. Some logs require admin access.

Get-WinEvent -ListLog * | foreach { get-winevent @{logname=$_.logname; starttime='2:45 pm' } -ea 0 } | where message -match 'whatever'

You can't pipe every logname directly to get-winevent. There's is a 256 logname limit in the windows api. This probably explains the limitation in the Event Viewer for creating a view with every log as well.

get-winevent -ListLog * | get-winevent # powershell 7 Get-WinEvent: Log count (445) is exceeded Windows Event Log API limit (256). Adjust filter to return less log names.

Search all logs in parallel for a string in powershell 7 in a matter of seconds:

get-winevent -listlog * | % -parallel { get-winevent @{ logname = $_.logname } -ea 0 } | ? message -match cpu
Improve this answer
2

Glad you got this working for you.

Point of note. You could have taken this approach as well, to simplify it a bit...

This approach will search all properties passed in for the string value and return the matches, without having to deal with case or specifying the search string per property, individually.

$Search = 'hyper' (Get-EventLog -LogName system -after (Get-Date).AddDays(-1) | Select-Object -Property Category,Index,TimeGenerated, EntryType,Source,InstanceID,Message) -match $Search | Format-Table -AutoSize Category Index TimeGenerated EntryType Source InstanceId Message -------- ----- ------------- --------- ------ ---------- ------- (0) 19637 10-Aug-18 17:06:16 Information Microsoft-Windows-Hyper-V-VmSwitch 233 The operation '8' ... (0) 19636 10-Aug-18 17:06:16 Information Microsoft-Windows-Hyper-V-VmSwitch 234 NIC D6727298-4E... (0) 19635 10-Aug-18 17:05:39 Information Microsoft-Windows-Hyper-V-VmSwitch 233 The operation ... (0) 19634 10-Aug-18 17:05:39 Information Microsoft-Windows-Hyper-V-VmSwitch 234 NIC 75A04E6E-1... (1019) 19621 10-Aug-18 12:33:17 Information Microsoft-Windows-Hyper-V-VmSwitch
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.