How can I search across ALL event logs?

This topic contains 0 replies, has 1 voice, and was last updated by Profile photo of Forums Archives Forums Archives 5 years, 3 months ago.

  • Author
    Posts
  • #5092

    by willsteele at 2012-09-10 08:10:20

    Ok, the presumption of the question is that it can be done. But, is there a way to look at all event logs on a 2008 R2 server? I have a specific window of time in which an event occurred. What I need to do it see if I can cross-reference something in the logs with the time stamp. One way I can think of doing it would be to iterate through a list of all event logs, but, I wanted to see if there was another way to do it first.

    by DonJ at 2012-09-10 08:37:14

    Well, it can be done – but one at a time. There's no "give me every log event you have globally" API. So you'll have to iterate. It'll be ugly.

    by willsteele at 2012-09-10 08:44:48

    Yeah, that's kind of what I thought. Would be nice if there was an XPath way I could do it. Hmmm. First I need to get my server guy to install .NET 3.5 so I can use the cmdlets. Shaking my head.....

    by coderaven at 2012-09-10 10:20:01

    The only way I can see you doing it with out doing every log file once at a time with Get-WinEvent is to use Get-WMIObject -Class Win32_NTLogEvent. It will pull every event but it can take a while I suggest you use the -Query switch and filter for exactly what you are looking for instead of getting all object and then filtering.

    by surveyor at 2012-09-10 10:53:56

    This little snippet searches in all Eventlogs for message with error in the text.
    Get-WmiObject -Query "select LogFile,Message from Win32_NTLogEvent where Message like '%error%'" | Group-Object -Property LogFile

    by willsteele at 2012-09-10 11:41:21

    WMI gave me a new error I've never seen. Makes sense. Just funny to hear the ship let out a big creak in a new way.

    $events = Get-WmiObject -Class win32_ntlogevent | Where {($_.TimeGenerated -gt '201209081700.000000
    -000') -and ($_.TimeGenerated -lt '201209081800.000000-000')}

    Get-WmiObject : Quota violation
    At line:1 char:24
    + $events = Get-WmiObject < <<< -Class win32_ntlogevent | Where {($_.TimeGenerated -gt '201209081700.000000-000') -and
    ($_.TimeGenerated -lt '201209081800.000000-000')}
    + CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

    An associated link for any WMI folks out there in case you ever face something like this. Pretty useful one: http://blogs.technet.com/b/askperf/archive/2008/09/16/memory-and-handle-quotas-in-the-wmi-provider-service.aspx

    by coderaven at 2012-09-10 14:09:45

    The sheer number of records coming from Win32_NTLogEvent means you would need to rather filter with the -Query.

    $events = Get-WMIObject -Query "SELECT * From Win32_NTLogEvent Where TimeGenerated >= `'20120908 17:00`' and TimeGenerated < `'20120908 18]

You must be logged in to reply to this topic.