Author Posts

January 1, 2012 at 12:00 am

by willsteele at 2012-09-10 08:10:20

Ok, the presumption of the question is that it can be done. But, is there a way to look at all event logs on a 2008 R2 server? I have a specific window of time in which an event occurred. What I need to do it see if I can cross-reference something in the logs with the time stamp. One way I can think of doing it would be to iterate through a list of all event logs, but, I wanted to see if there was another way to do it first.

by DonJ at 2012-09-10 08:37:14

Well, it can be done – but one at a time. There's no "give me every log event you have globally" API. So you'll have to iterate. It'll be ugly.

by willsteele at 2012-09-10 08:44:48

Yeah, that's kind of what I thought. Would be nice if there was an XPath way I could do it. Hmmm. First I need to get my server guy to install .NET 3.5 so I can use the cmdlets. Shaking my head.....

by coderaven at 2012-09-10 10:20:01

The only way I can see you doing it with out doing every log file once at a time with Get-WinEvent is to use Get-WMIObject -Class Win32_NTLogEvent. It will pull every event but it can take a while I suggest you use the -Query switch and filter for exactly what you are looking for instead of getting all object and then filtering.

by surveyor at 2012-09-10 10:53:56

This little snippet searches in all Eventlogs for message with error in the text.
Get-WmiObject -Query "select LogFile,Message from Win32_NTLogEvent where Message like '%error%'" | Group-Object -Property LogFile

by willsteele at 2012-09-10 11:41:21

WMI gave me a new error I've never seen. Makes sense. Just funny to hear the ship let out a big creak in a new way.

$events = Get-WmiObject -Class win32_ntlogevent | Where {($_.TimeGenerated -gt '201209081700.000000
-000') -and ($_.TimeGenerated -lt '201209081800.000000-000')}

Get-WmiObject : Quota violation
At line:1 char:24
+ $events = Get-WmiObject < <<< -Class win32_ntlogevent | Where {($_.TimeGenerated -gt '201209081700.000000-000') -and
($_.TimeGenerated -lt '201209081800.000000-000')}
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

An associated link for any WMI folks out there in case you ever face something like this. Pretty useful one: http://blogs.technet.com/b/askperf/archive/2008/09/16/memory-and-handle-quotas-in-the-wmi-provider-service.aspx

by coderaven at 2012-09-10 14:09:45

The sheer number of records coming from Win32_NTLogEvent means you would need to rather filter with the -Query.

$events = Get-WMIObject -Query "SELECT * From Win32_NTLogEvent Where TimeGenerated >= `'20120908 17:00`' and TimeGenerated < `'20120908 18]