How do you find an eventlog message based on a keyword?

This topic contains 5 replies, has 3 voices, and was last updated by Profile photo of Dan Potter Dan Potter 9 months, 2 weeks ago.

  • Author
    Posts
  • #35521
    Profile photo of Sean Perkins
    Sean Perkins
    Participant

    Hello, I'm a first time poster here in this forum and I'm new to PowerShell, very new. I'm actually going through Mr. Jones' Month of Lunches book. Not sure if this is the proper place to post this question, but here goes...

    I have a few servers that have an error that has "SSPI" in body of the message. The command I've constructed is as follows (and is failing or just hanging):

    Get-EventLog -LogName application -After 2-17-16 -ComputerName SeanServer -EntryType Error -Message SSPI

    Also, I've surrounded SSPI in Asterix:

    Get-EventLog -LogName application -After 2-17-16 -ComputerName SeanServer -EntryType Error -Message *SSPI*

    Neither of these commands are producing results 🙁 Help me Obi-Wan Kenobi...

  • #35522
    Profile photo of Sean Perkins
    Sean Perkins
    Participant

    The error I get:

    Get-EventLog : No matches found
    At line:1 char:1
    + Get-EventLog -LogName application -After 2-17-16 -ComputerName SeanServer -Entr ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (:) [Get-EventLog], ArgumentException
    + FullyQualifiedErrorId : GetEventLogNoEntriesFound,Microsoft.PowerShell.Commands.GetEventLogCommand

  • #35523
    Profile photo of Don Jones
    Don Jones
    Keymaster

    So, know that Get-EventLog uses a fairly old communications architecture. Also, event logs aren't indexed on the message field, meaning the command has to _remotely_ perform a brute-force search of every single entry to find the text you're after. I'm not surprised it's hanging. And I believe it supports wildcards, but that'll really just make it take longer. What would help is if you could restrict it a bit further using -Source or -InstanceID, or even -Before and -After, so it doesn't have to plug through the entire log.

    Get-WinEvent might could maybe possibly be a little faster, but I wouldn't bet big money on it. Because Message isn't indexed on the server, anything looking at it is just going to be a brute-force scan, and in a big log it's gonna take a while.

  • #35534
    Profile photo of Sean Perkins
    Sean Perkins
    Participant

    Ahh, I see what you mean about the brute force stuff, that is a bummer. I've noticed that the -InstanceID and EventID aren't always the same, so that makes it a pain. I was able to play around with the command a little bit and speed things up. That command was being run on servers that were over a WAN/MPLS link, so that wasn't helping either.

    As an aside, PowerShell is AWESOME!!!! LOVE your book so far, it has made the journey so much better than I thought. I've very glad that I took the plunge 🙂

  • #35572
    Profile photo of Dan Potter
    Dan Potter
    Participant

    Build your query in eventvwr. copy the text from the xml tab.

    ex.

    
    $filterXML = @'
    
      
        *[System[Provider[@Name='Microsoft-Windows-WindowsUpdateClient'] and (Level=4 or Level=0) and (EventID=19)]]
      
    
    '@
    
    Get-WinEvent -computername $server -FilterXml $filterXML
    
    
  • #35573
    Profile photo of Dan Potter
    Dan Potter
    Participant

    This forum messes up xml for some reason.

    Copy the xml from the tab and place it inside the here string.

You must be logged in to reply to this topic.