*** UPDATE *** Added the ability to search / filter on Event Source and Event Level (any combination of Critical, Warnings, Errors, Information) – use comma separated list to add filter on multiple criteria (example: –EventLevel Warning, Error and/or –EventSource disk, Outlook, …)
Type the following to see the latest examples:
Get-Help .\Get-EventsFromEventLogs.ps1 –Examples
Type the following to see the full help:
Get-Help .\Get-EventsFromEventLogs.ps1 –Full
Hi all !
Today I’ll give you a script that exports the events of your choice (you chose one or more Event IDs you want to export or one or more Event Sources), from one or multiple computers or servers. In this script I am also fixing events which description has carriage returns to ease up the Excel processing as I noticed when exporting Event logs as CSV from the Windows Event Viewer, events which descriptions had carriage returns were spanned across several Excel rows.
By default, the script will only output the events found on screen. You must specify the –ExportToFile switch to export the events found on a CSV file. This CSV file will be located in the same directory where the script is located, and will be formatted like the below - it will have the name or number of the first event D or source that you are searching the logs for:
Launching.\Get-EventsFromEventLogs.ps1 -EventIDToCheck 916,105,13,1221 –ExportToFile
got me the below file - with before the date the first event ID I was looking for:GetEventsFromEventLogs_916_2018-04-13-09-52-08.csv
Located on the same directory where my script is …
- Other Example of the script’s full execution:
.\Get-EventsFromEventLogs.ps1 -Computers $(Get-ExchangeServer) –EventLogName Application -EventSource "MSExchange ADAccess","MSExchangeADTopology" -NumberOfLastEventsToGet 30 -EventLevel Warning,Error -ExportToFile
Note here that I am passing in the –Computers parameter all my Exchange Mailbox servers by using $(Get-MailboxServer) to check all my Exchange servers => in order for this to work, you must execute the script from an Exchange Management Shell-enabled PowerShell session – otherwise, you can specify a list of computers (-Computers EX01,EX02) or get a list of computer from a file (-Computer $(Get-Content C:\temp\MyServers.txt))
First, I will get the confirmation of the options of the script and I am asked to validate to continue:
Then it will run and show me what it’s doing:
Note that it searches on all computers I specified, displays warnings and errors (30 last events for each machine, as I specified in the script's –NumberOfLastEventsToGet parameter) from the 2 servers I have in my environment…
Also Note the summary of all the events found globally at the end of the script.
And finally note how quick it is to search and dump our events ! About half a second !
And as it finishes, it opens me the file in a NOTEPAD because I specified the –ExportToFile switch on the script launch:
You can also open the file (or copy/paste the Notepad content) with Excel for filtering, analyzing, correlating, reporting, etc…
Here are the switches you can use:
-Computers < Object>
=> where <Object> default = local computer, you can specify list of computers, strings separated by commas like -Computers “Server1”, “Server2”,”Server3” or get the computers from a list like -Computers $(Get-Content C:\temp\myservers.txt) or get the computers from a variable that contains a list of Exchange servers, etc…
I tried the below on my Exchange 2013 environment :
.\Get-EventsFrom.ps1 -Computers $(Get-MailboxServer) -EventIDToCheck 2142 -EventLogName Application -ExportToFile
And it got my last 30 events with Event ID 2142 from all my Exchange servers of my environment !
-EventLogName < Object>
=> where <Object> default = Application and System logs, you can specify the Application LOG only (-EventLogName Application) or specify several event log types separated by commas (-EventLogName Application, System, Security)
There is a defined set of Event Log Names that you can use, you can cycle through the valid values for this parameter by hitting <TAB> after you specify the –EventLogName parameter, and event hitting <TAB> for multiple values will cycle through each possible Event Log Name value. I love that PowerShell parameter validation functionality ! <3
-EventID < Object>
=> where <Object> default = “All” , if you don’t specify it, the script will search for all Event IDs, and if you want you can specify a list of IDs to search for or to check : just enter each Event ID separated by commas (like -EventID 1220,2020,605)
=> where <Object> default = “All”, if you don't specify this parameter, the script will search for all Event Sources, and you can also specify a source name like -EventSource Outlook (no need for the quotes) or several source names like -EventSource Outlook, Disk …
=> where <Object> default = “All”, if you don't specify this parameter, the script will search all Levels (Info, Warning, Errors, Critical, …)
You can specify an event level like -EventLevel Error or several levels like -EventLevel Warning, Error …
There is a defined set of event level you can use, you can cycle through the valid values for this parameter by hitting “TAB” after you specify the –EventLevel parameter.
Possible values are: "None","Information","Warning","Error","Critical", "Verbose"…
=> where <Int32> default = 30, and this will dump the 30 or less (if the event log has less, it will dump all of these)
=> if you don’t specify -ExportToFile the script will just dump the events into screen. If you specify it, it will dump the event into a CSV file for easy parsing in Excel !
To check the full help of the script, type
get-help .\Get-EventsFromEventLogs.ps1 -Full
To check the examples only type:
get-help .\Get-EventsFromEventLogs.ps1 -Examples
Here is the dump of the Examples:
NAME .\Get-EventsFromEventLogs.ps1 SYNOPSIS Searches and Get specific events from any computer, local or remote, or from a computer list. -------------------------- EXAMPLE 1 -------------------------- PS C:\>.\Get-EventsFromEventLogs.ps1 Launching the script without options will : - Ask you which event(s) you wish to search for (separated by commas if you want multiple event IDs to search) - Search the local computer - Search the Application and System logs - Get 30 events of the type specified -------------------------- EXAMPLE 2 -------------------------- PS C:\>.\Get-EventsFromEventLogs.ps1 -NumberOfLastEventsToGet 10 -EventID 916,105 -ExportToFile - Search for the 10 last events (-NumberOfLastEventsToGet 10) - Search for event IDs 916 and 105 - As no Event Log name (Application, System, Security, etc...) were specified, the script will look inside the Application AND System logs by default. - We asked the script to look for Event IDs 916 and 105 (-EventID 916, 105) The exported file will be named GetEventsFromEventLogs_916-105_2018-04-13-10-01-55.csv as I ran the script on 13th April 2018 at 10h01 and 55 seconds in the morning. -------------------------- EXAMPLE 3 -------------------------- PS C:\>.\Get-EventsFromEventLogs.ps1 -NumberOfLastEventsToGet 30 -EventID 26 -EventLogName Application - Search for the last 30 events (-NumberOfLastEventsToGet 30) - Search for Event ID 26 only - Search in the Application Log only - We don't output any file, just print the results on the screen -------------------------- EXAMPLE 4 -------------------------- PS C:\>.\Get-EventsFromEventLogs.ps1 -EventSource "Outlook" - Search all events generated by the "Outlook" application (all Event IDs, all Level (Info, Warning, etc...)) - Search in Application and System (because I didn't specify which event log) - Search the last 30 events of type "Outlook" - if there are less, it will just print less - We don't output any file because I didn't specify the -ExportToFile parameter MachineName LogName TimeCreated LevelDisplayName Id Message ----------- ------- ----------- ---------------- -- ------- 12345678901 Application 4/13/2018 11:57:06 AM Information 63 La demande de service web Exchange GetAppManifestssuccède à.</0w> 12345678901 Application 4/13/2018 7:57:00 AM Information 63 La demande de service web Exchange GetAppManifestssuccède à.</0w> 12345678901 Application 4/13/2018 7:56:59 AM Information 63 Outlook a détecté une notification de modification pour vos applications et va t... 12345678901 Application 4/13/2018 7:56:55 AM Information 45 Outlook a chargé le(s) complément(s) suivant(s) :... -------------------------- EXAMPLE 5 -------------------------- PS C:\>.\Get-EventsFromEventLogs.ps1 -EventSource "disk","Outlook" -EventLevel Warning -NumberOfLastEventsToGet 1000 - Search all events which source are "Disk" and "Outlook" - Search only "Warning" events of the above defined sources - All Event IDs of these (because I didn't specify any ID to filter) - Get the 1000 last events of the above criteria - didn't specify the -ExportToFile so will just display to screen -------------------------- EXAMPLE 6 -------------------------- PS C:\>.\Get-EventsFromEventLogs.ps1 -EventSource "disk" -NumberOfLastEventsToGet 1000 -EventLevel Critical,Warning,Error -ExportToFile - Search all events about the "disk" - Search only Critical, Warning and Error events - Search the 1000 last events about the above criteria - Export into a file (like GetEventsFromEventLogs_None_2018-04-14-04-34-27.csv)
Try it and let me know your thoughts !