Forum Discussion
Jul 03, 2023
Blog post: Search Windows Event Logs
Wrote a blog post about searching Windows Event logs using filters and output to grid view or csv. Check it out here to see more information https://powershellisfun.com/2023/07/03/searching-windows-event-logs-using-powershell/
The script itself:
#-Requires RunAsAdministrator
function Search-Eventlog {
[CmdletBinding(DefaultParameterSetName = 'All')]
param (
[Parameter(Mandatory = $false, HelpMessage = "Name of remote computer")][string]$ComputerName = $env:COMPUTERNAME,
[Parameter(Mandatory = $false, HelpMessage = "Number of hours to search back for")][double]$Hours = 1 ,
[Parameter(Mandatory = $false, HelpMessage = "EventID number")][int[]]$EventID,
[Parameter(Mandatory = $false, HelpMessage = "The name of the eventlog to search in")][string[]]$EventLogName,
[Parameter(Mandatory = $false, HelpMessage = "Output results in a gridview", parameterSetName = "GridView")][switch]$Gridview,
[Parameter(Mandatory = $false, HelpMessage = "String to search for")][string]$Filter,
[Parameter(Mandatory = $false, HelpMessage = "Output path, e.g. c:\data\events.csv", parameterSetName = "CSV")][string]$OutCSV
)
#Convert $Hours to equivalent date value
[DateTime]$hours = (Get-Date).AddHours(-$hours)
#Set EventLogName if available
if ($EventLogName) {
try {
$EventLogNames = Get-WinEvent -ListLog $EventLogName -ErrorAction Stop
Write-Host ("Specified EventLog name {0} is valid on {1}, continuing..." -f $($EventLogName), $ComputerName) -ForegroundColor Green
}
catch {
Write-Warning ("Specified EventLog name {0} is not valid or can't access {1}, exiting..." -f $($EventLogName), $ComputerName)
return
}
}
#Create array of logs for Eventlogname if not specified
if (-not $EventLogName) {
try {
$EventLogNames = Get-WinEvent -ListLog * -ComputerName $ComputerName
}
catch {
Write-Warning ("Can't retrieve Eventlogs on {0}, exiting..." -f $ComputerName)
return
}
}
#Retrieve events
$lognumber = 1
$total = foreach ($log in $EventLogNames) {
$foundevents = 0
Write-Host ("[Eventlog {0}/{1}] - Retrieving events from the {2} Event log on {3}..." -f $lognumber, $EventLogNames.count, $log.LogName, $ComputerName) -ForegroundColor Green
try {
#Specify different type of filters
$FilterHashtable = @{
LogName = $log.LogName
StartTime = $hours
}
if ($EventID) {
$FilterHashtable.Add('ID', $EventID)
}
#Retrieve events
$events = Get-WinEvent -FilterHashtable $FilterHashtable -ErrorAction Stop
#Loop through events
foreach ($event in $events) {
if (-not $Filter -or $event.Message -match $Filter) {
[PSCustomObject]@{
Time = $event.TimeCreated.ToString('dd-MM-yyy HH:mm')
Computer = $ComputerName
LogName = $event.LogName
ProviderName = $event.ProviderName
Level = $event.LevelDisplayName
User = if ($event.UserId) {
"$($event.UserId)"
}
else {
"N/A"
}
EventID = $event.ID
Message = $event.Message
}
$foundevents++
}
}
Write-Host ("{0} events found in the {1} Event log on {2}" -f $foundevents, $log.LogName, $ComputerName) -ForegroundColor Green
$lognumber++
}
catch {
Write-Host ("No events found in {0} within the specified time-frame (After {1}), EventID or Filter on {2}, skipping..." -f $log.LogName, $Hours, $ComputerName)
}
}
#Output results to GridView
if ($Gridview -and $total) {
return $total | Sort-Object Time, LogName | Out-GridView -Title 'Retrieved events...'
}
#Output results to specified file location
if ($OutCSV -and $total) {
try {
$total | Sort-Object Time, LogName |
export-csv -NoTypeInformation -Delimiter ';' -Encoding UTF8 -Path $OutCSV -ErrorAction Stop
Write-Host ("Exported results to {0}" -f $OutCSV) -ForegroundColor Green
}
catch {
Write-Warning ("Error saving results to {0}, check path or permissions. Exiting...")
return
}
}
#Output to screen is Gridview or Output were not specified
if (-not $OutCSV -and -not $Gridview -and $total) {
return $total | Sort-Object Time, LogName
}
#Return warning if no results were found
if (-not $total) {
Write-Warning ("No results were found on {0}..." -f $ComputerName)
}
}
No RepliesBe the first to reply