Skip to content

Instantly share code, notes, and snippets.

@jdhitsolutions

jdhitsolutions/Get-EventLogFile.ps1

Created June 17, 2016 12:53
Show Gist options
  • Save jdhitsolutions/528f48c7cb135f0d6d7b2271b5a616b1 to your computer and use it in GitHub Desktop.
Save jdhitsolutions/528f48c7cb135f0d6d7b2271b5a616b1 to your computer and use it in GitHub Desktop.
Download ZIP
This PowerShell function will use the CIM cmdlets to gather information about classic style event log files.
Raw
Get-EventLogFile.ps1
#requires -version 3.0
Function Get-EventLogFile {
<#
.SYNOPSIS
Get information about classic event logs
.DESCRIPTION
This command will use the CIM cmdlets to gather information about event log files. The default is to display all classic style event logs or you can select a specific one by name.
Use the List parameter to quickly list the log name and number of records. This does not get the entire event log object so it is a little bit faster.
.PARAMETER Computername
The NETBios or FQDN of a remote computer. You can also use the alias 'CN'.
.PARAMETER CimSession
A Cimsession object to a remote computer. You can also use the alias 'CS'.
.PARAMETER Name
The name of a specific event log.
.PARAMETER ListOnly
Get only the logname and number of records. The primary purpose for this parameter is to quickly list log names without retrieving the entire object.
.PARAMETER SkipEmptyLog
Skip event logs with 0 entries.
.PARAMETER OperationTimeoutSec
Specifies the amount of time that the cmdlet waits for a response from the computer.By default, the value of this parameter is 0, which means that the cmdlet uses the default timeout value for the server.
If the OperationTimeoutSec parameter is set to a value less than the robust connection retry timeout of 3 minutes, network failures that last more than the value of the OperationTimeoutSec parameter are not recoverable, because the operation on the server times out before the client can reconnect.
.EXAMPLE
PS C:\> Get-EventLogFile -computername chi-p50
Computername : CHI-P50
Log : Application
NumberOfRecords : 1300
Path : C:\WINDOWS\System32\Winevt\Logs\Application.evtx
SizeMB : 1.07
MaxSizeMB : 20
PctUsed : 5.33
LastModified : 6/15/2016 9:37:19 AM
ModifiedAge : 05:16:23.2285115
Computername : CHI-P50
Log : DNS Server
NumberOfRecords : 535
Path : C:\WINDOWS\System32\Winevt\Logs\DNS Server.evtx
SizeMB : 1.07
MaxSizeMB : 100
PctUsed : 1.07
LastModified : 6/15/2016 9:37:20 AM
ModifiedAge : 05:16:21.5171060
...
.EXAMPLE
PS C:\> Get-CimSession | Get-EventLogFile | Sort PctUsed -descending | Out-Gridview -title "Event Logs"
.EXAMPLE
PS C:\> Get-EventLogFile -Name application -Computername chi-web02
Computername : CHI-WEB02
LogName : Application
NumberOfRecords : 7174
Path : C:\Windows\System32\Winevt\Logs\Application.evtx
SizeMB : 5.07
MaxSizeMB : 20
PctUsed : 25.33
LastModified : 6/7/2016 10:36:07 AM
ModifiedAge : 8.04:28:42.4684355
.EXAMPLE
PS C:\> Get-EventlogFile -computername chi-dc04,chi-dc01,chi-p50 -name "DNS Server" | Format-Table -group @{Name="Computer";Expression={"$($_.Computername) - $($_.Path)"}} -property *Size*,PctUsed,NumberOfRecords
Computer: CHI-DC04 - C:\Windows\System32\Winevt\Logs\DNS Server.evtx
SizeMB MaxSizeMB PctUsed NumberOfRecords
------ --------- ------- ---------------
1.07 16 6.67 1503
Computer: CHI-P50 - C:\WINDOWS\System32\Winevt\Logs\DNS Server.evtx
SizeMB MaxSizeMB PctUsed NumberOfRecords
------ --------- ------- ---------------
1.07 100 1.07 535
Computer: CHI-DC01 - C:\Windows\System32\Winevt\Logs\DNS Server.evtx
SizeMB MaxSizeMB PctUsed NumberOfRecords
------ --------- ------- ---------------
1.07 16 6.67 2283
.EXAMPLE
PS C:\> Get-EventLogFile chi-core01 -ListOnly
Computername LogName NumberOfRecords
------------ ------- ---------------
CHI-CORE01 Application 33834
CHI-CORE01 HardwareEvents 0
CHI-CORE01 Internet Explorer 0
CHI-CORE01 Key Management Service 0
CHI-CORE01 Operations Manager 32190
CHI-CORE01 Security 97428
CHI-CORE01 System 106947
CHI-CORE01 Windows PowerShell 11273
.EXAMPLE
PS C:\> Get-CimSession | Get-EventLogFile -ListOnly -Name Security
Computername LogName NumberOfRecords
------------ ------- ---------------
CHI-P50 Security 30672
CHI-WEB02 Security 28260
.EXAMPLE
PS C:\> get-eventlogfile -comp chi-dc01,chi-scom01,chi-sql01 -skip -ListOnly | Sort Computername,LogName | format-table -GroupBy Computername -property Logname,NumberOfRecords
Computername: CHI-DC01
LogName NumberOfRecords
------- ---------------
Active Directory Web Services 4192
Application 30358
DFS Replication 2033
Directory Service 2454
DNS Server 2283
File Replication Service 1460
Operations Manager 23323
Security 56140
System 42337
Windows PowerShell 18378
Computername: CHI-SCOM01
LogName NumberOfRecords
------- ---------------
Application 7400
Operations Manager 17948
Security 28522
System 64870
Windows PowerShell 13678
Computername: CHI-SQL01
LogName NumberOfRecords
------- ---------------
Application 26905
Operations Manager 30193
Security 34248
System 65403
Windows PowerShell 14105
Get a simple list of event logs, skipping those with 0 entries.
.NOTES
Version : 1.0
Last Updated : June 17, 2016
Learn more about PowerShell:
http://jdhitsolutions.com/blog/essential-powershell-resources/
****************************************************************
DO NOT USE IN A PRODUCTION ENVIRONMENT UNTIL YOU HAVE TESTED
THOROUGHLY IN A LAB ENVIRONMENT. USE AT YOUR OWN RISK. IF
YOU DO NOT UNDERSTAND WHAT THIS SCRIPT DOES OR HOW IT WORKS,
DO NOT USE IT OUTSIDE OF A SECURE, TEST SETTING.
****************************************************************
.LINK
Get-CimInstance
.LINK
Get-EventLog
.INPUTS
[string]
[cimsession]
.OUTPUTS
[pscustomobject]
#>
[CmdletBinding(DefaultParameterSetName="Computername")]
Param
(
[Parameter(
ParameterSetName = "Computername",
ValueFromPipelineByPropertyName,
ValueFromPipeline,
Position=0
)]
[ValidateNotNullorEmpty()]
[Alias("cn")]
[string[]]$Computername = $env:Computername,
[Parameter(
ParameterSetName = "Session",
ValueFromPipeline
)]
[Alias("cs")]
[ValidateNotNullorEmpty()]
[Microsoft.Management.Infrastructure.CimSession[]]$CimSession,
[Parameter(ParameterSetName = "Computername")]
[Parameter(ParameterSetName = "Session")]
[ValidateNotNullorEmpty()]
[string]$Name,
[Parameter(ParameterSetName="Computername")]
[Parameter(ParameterSetName="Session")]
[switch]$ListOnly,
[Parameter(ParameterSetName="Computername")]
[Parameter(ParameterSetName="Session")]
[switch]$SkipEmptyLog,
[alias("timeout")]
[uint32]$OperationTimeoutSec
)
Begin {
Write-Verbose "[BEGIN ] Starting: $($MyInvocation.Mycommand)"
#display PSBoundparameters formatted nicely for Verbose output
[string]$pb = ($PSBoundParameters | format-table -AutoSize | Out-String).TrimEnd()
Write-Verbose "[BEGIN ] PSBoundparameters: `n$($pb.split("`n").Foreach({"$("`t"*4)$_"}) | Out-String) `n"
$PSBoundParameters.Add("Classname","Win32_NTEventLogFile")
$PSBoundParameters.Add("ErrorAction","Stop")
#define a set of Properties to return
$Properties = @{Name="Computername";Expression={$_.CSName}},
@{Name="LogName";Expression={$_.LogFileName}},
"NumberOfRecords",
@{Name="Path";Expression={$_.Name}},
@{Name="SizeMB";Expression = {[math]::Round($_.FileSize/1MB,2)}},
@{Name="MaxSizeMB";Expression = {$_.MaxFileSize/1MB -as [int]}},
@{Name="PctUsed";Expression= {[math]::Round(($_.FileSize/$_.maxFileSize)*100,2)}},
"LastModified",
@{Name="ModifiedAge";Expression={(Get-Date) - $_.LastModified}}
#create a filter if $Name is specified
if ($Name) {
#remove from PSBoundparameters
$PSBoundParameters.Remove("Name") | Out-Null
$filter = "logfilename = '$Name'"
Write-Verbose "[BEGIN ] Adding filter: $filter"
$PSBoundParameters.Add("Filter",$filter)
}
if ($SkipEmptyLog -And $Name) {
#update existing filter
#remove from PSBoundparameters
$PSBoundParameters.Remove("SkipEmptyLog") | Out-Null
$filter+= " AND NumberofRecords<>0"
Write-Verbose "[BEGIN ] Updating filter: $filter"
$PSBoundParameters.Filter = $filter
}
elseif ($SkipEmptyLog) {
#remove from PSBoundparameters
$PSBoundParameters.Remove("SkipEmptyLog") | Out-Null
#create filter to only filter out logs with no records
$filter+= "NumberofRecords<>0"
Write-Verbose "[BEGIN ] Adding filter: $filter"
$PSBoundParameters.Add("Filter",$filter)
}
if ($ListOnly) {
#update PSBoundparameters
#limit Get-CimInstance to only retrieving the required
#properties which should speed up the query.
$PSBoundParameters.Add("Property", @("Logfilename","NumberofRecords","CSName"))
$PSBoundParameters.Remove("ListOnly") | Out-Null
#define a list properties
$ListProperties = @{Name="Computername";Expression={$_.CSName}},
@{Name="LogName";Expression={$_.LogFileName}},
"NumberOfRecords"
}
} #begin
Process {
Write-Verbose "[PROCESS] Using parameter set: $($PSCmdlet.parameterSetName)"
#PSBoundParameters might change depending on what is piped in
[string]$pb = ($PSBoundParameters | Format-Table -AutoSize | Out-String).TrimEnd()
Write-Verbose "[PROCESS] PSBoundparameters: `n$($pb.split("`n").Foreach({"$("`t"*4)$_"}) | Out-String) `n"
Try {
if ($ListOnly) {
Get-CimInstance @PSBoundParameters | Select $ListProperties
}
else {
Get-CimInstance @PSBoundParameters | Select $Properties
}
}
Catch {
Write-Error $_
}
} #process
End {
Write-Verbose "[END ] Ending: $($MyInvocation.Mycommand)"
} #end
} #close function
@jdhitsolutions
Copy link
Author

You can read more about this function here: http://bit.ly/1W3r7se

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment