Use Get-WinEvent to use XML and filters from event viewer, to mine an event, including examples for a specific string, from a specific event, in a specific event log?
Hopefully this post will help with a few tips to simplify monitoring for events, whether in AzMon, SCOM, or via PowerShell.
Let’s start with the Dr Scripto blog post from quite a while ago –
Not sure how many people use get-WinEvent, but this is one tool in PowerShell that can help an admin parse the XML side of an event.
Example 1
Query Application Event Log for Severity, Event, and Event Data contains lync.exe
$query = @”
<QueryList>
<Query Id=”0″ Path=”Application”>
<Select Path=”Application”>*[System[Provider[@Name=’Application Hang’]
and (Level=2) and (EventID=1002)]]
and *[EventData[Data=’lync.exe’]]</Select>
</Query>
</QueryList>
“@
Get-WinEvent -FilterXml $query
PowerShell output
Use Get-WinEvent to use XML and filters from event viewer
The Tip or Trick part of this – leverage your Event Viewer Filter as a query to use with get-WinEvent
Credit for this tip comes from Andrew Blumhardt!
See below for examples to ‘use Get-WinEvent to use XML and filters from event viewer’
Navigating via Event Viewer:
Hop onto your favorite server, or connect to another server via Event Viewer
Go to the Event Log > Click Filter Current Log
Build out your filter (i.e. choose specific Event Sources, exclude events, include severities, timeframe (start/end), etc.)
Switch to the XML tab (and note you can edit your query further!)
You can copy the query from the Event Viewer into your Get-WinEvent syntax
$query = @”
<QueryList>
<Query Id=”0″ Path=”Application”>
<Select Path=”Application”>*[System[Provider[@Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Monitor.UserRoleQuotaUsageMonitor’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Report.ServiceUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Report.VMUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.EnableCredSSPClient’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Monitor.UserRoleQuotaUsageMonitor’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Report.ServiceUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Report.VMUsageCollection’] and (Level=2 or Level=3) and (EventID=25933)]]</Select>
</Query>
</QueryList>
“@
Get-WinEvent -FilterXml $query
PowerShell output
Example 3
Grab System Event Log, Event ID 5827 (NetLogon denied events)
get-WinEvent -FilterHashtable @{LogName=’System’; ID=’5827′;}
PowerShell output
Documentation:
Get-WinEvent https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.1
MSFT DevBlogs https://devblogs.microsoft.com/scripting/data-mine-the-windows-event-log-by-using-powershell-and-xml/