data:image/s3,"s3://crabby-images/3e693/3e6934eb21fbfba7fbcb243e7f8773bb19e3ed8c" alt=""
Use Get-WinEvent to use XML and filters from event viewer, to mine an event, including examples for a specific string, from a specific event, in a specific event log?
Hopefully this post will help with a few tips to simplify monitoring for events, whether in AzMon, SCOM, or via PowerShell.
Let’s start with the Dr Scripto blog post from quite a while ago –
Not sure how many people use get-WinEvent, but this is one tool in PowerShell that can help an admin parse the XML side of an event.
Example 1
Query Application Event Log for Severity, Event, and Event Data contains lync.exe
$query = @”
<QueryList>
<Query Id=”0″ Path=”Application”>
<Select Path=”Application”>*[System[Provider[@Name=’Application Hang’]
and (Level=2) and (EventID=1002)]]
and *[EventData[Data=’lync.exe’]]</Select>
</Query>
</QueryList>
“@
Get-WinEvent -FilterXml $query
PowerShell output
data:image/s3,"s3://crabby-images/b63c7/b63c70d6173c3955c439fdead3ce27d867b64e2e" alt="Use Get-WinEvent to use XML and filters from event viewer"
Use Get-WinEvent to use XML and filters from event viewer
The Tip or Trick part of this – leverage your Event Viewer Filter as a query to use with get-WinEvent
Credit for this tip comes from Andrew Blumhardt!
See below for examples to ‘use Get-WinEvent to use XML and filters from event viewer’
Navigating via Event Viewer:
Hop onto your favorite server, or connect to another server via Event Viewer
Go to the Event Log > Click Filter Current Log
Build out your filter (i.e. choose specific Event Sources, exclude events, include severities, timeframe (start/end), etc.)
data:image/s3,"s3://crabby-images/84bda/84bda30679f01d5f3a42d355da1d9e2f3f1e87e6" alt="Use Get-WinEvent to use XML and filters from event viewer"
Switch to the XML tab (and note you can edit your query further!)
data:image/s3,"s3://crabby-images/fa592/fa5924dda66f24e0587e5b0416645b233037168e" alt="SCVMM query example screenshot"
You can copy the query from the Event Viewer into your Get-WinEvent syntax
$query = @”
<QueryList>
<Query Id=”0″ Path=”Application”>
<Select Path=”Application”>*[System[Provider[@Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Monitor.UserRoleQuotaUsageMonitor’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Report.ServiceUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Report.VMUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.EnableCredSSPClient’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Monitor.UserRoleQuotaUsageMonitor’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Report.ServiceUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Report.VMUsageCollection’] and (Level=2 or Level=3) and (EventID=25933)]]</Select>
</Query>
</QueryList>
“@
Get-WinEvent -FilterXml $query
PowerShell output
data:image/s3,"s3://crabby-images/33829/338292c54bf71575894c1e60b1905bba9d71a389" alt="Use Get-WinEvent to use XML and filters from event viewer"
Example 3
Grab System Event Log, Event ID 5827 (NetLogon denied events)
get-WinEvent -FilterHashtable @{LogName=’System’; ID=’5827′;}
PowerShell output
data:image/s3,"s3://crabby-images/d9215/d9215e94be6ea44a390e9a102f5c270177c2f838" alt="Use Get-WinEvent to use XML and filters from event viewer"
Documentation:
Get-WinEvent https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.1
MSFT DevBlogs https://devblogs.microsoft.com/scripting/data-mine-the-windows-event-log-by-using-powershell-and-xml/