PowerShell: Event log function

December 5, 2012•4 min read•Ginja

I took the Get-WinEvent commandlet and wrapped some logic around it to help out people where I work when they would like to seach through event logs on a particular computer or computers. $aryDCs = an array of the domain controllers here at work.

function Search-EventLogs {

param ($usrName,

$logType,

$pcName,

$logDepth,

$eventID

)

if ($usrName -eq $null) {$usrName = Read-Host "User name?"}

if ($logType -eq $null) {

Write-Host "------------------" -fore Gray

Write-Host "Choose a log type:" -fore Red

Write-Host "------------------" -fore Gray

Write-Host "1. System"

Write-Host "2. Application"

Write-Host "3. Security"

$logType = Read-Host "#?"

Switch ($logType) {

"1" { $logType = "System" }

"2" { $logType = "Application" }

"3" { $logType = "Security" }

}

if ($pcName -eq $null) {$pcName = $aryDCs}

if ($eventID -eq $null) {$eventID = Read-Host "Event ID?"}

if ($logDepth -eq $null){$logDepth = Read-Host "How many logs to search through max?"}

if ($pcName.Count -gt 1) {

foreach ($pc in $pcName) {

Write-Host "-----------" -ForegroundColor gray

Write-Host $pc -ForegroundColor Red

Write-Host "-----------" -ForegroundColor gray

$logs = Get-WinEvent -LogName $logType -ComputerName $pc -Credential $identity -MaxEvents $logDepth

foreach ($l in $logs) {

#($l.Message -like "*$usrName*") -and

if (($l.message -like "*$usrName*") -or ($l.ID -eq $eventID)) {

Write-Host "-------------------------" -fore Gray

Write-Host "Event ID:" $l.ID -fore Red

Write-Host "-------------------------" -fore Gray

Write-Host "Message:" -fore Red

Write-Host "-------------------------------------------" -fore Gray

$l.message

Write-Host "-------------------------------------------" -fore Gray

}

} else {

$logs = Get-WinEvent -LogName $logType -ComputerName $pcName -Credential $identity -MaxEvents $logDepth

foreach ($l in $logs) {

#($l.Message -like "*$usrName*") -and

if (($l.message -like "*$usrName*") -or ($l.eventID -like $eventID)) {

Write-Host "-------------------------" -fore Gray

Write-Host "Event ID:" $l.ID -fore Red

Write-Host "-------------------------" -fore Gray

Write-Host "Message:" -fore Red

Write-Host "-------------------------------------------" -fore Gray

$l.message

Write-Host "-------------------------------------------" -fore Gray

}

The $identity variable stores the users admin account password, which is what I typically use when I have a commandlet that accepts -Credential. This Search-EventLogs commandlet will allow you to specify all or some/none of the parameters. If you do not specify one, it simply will ask you for the information. That way it can be used easily as an end-user of a script, or streamlined for another commandlet to use it.

#powershell

Comments

No comments yet. Be the first!