In this post I’m going to cover how to deal with event log’s on remote servers. The reasoning here is that most server exist in a locked down environment and the average admin will be running admin scripts on his/her local workstation.
How do we do it?
Again were going to turn to WMI. PowerShell 1.0 has some great event log cmdlets for local event log management, these same cmdlets don’t allow access to a remote machine.
Let’s start off by querying WMI for a list of event logs using the NT event log class
Were going to be using the same commands we’re familiar with by now to query a WMI class on a remote machine and format the output.
Get-WmiObject Win32_NTEventLogFile –ComputerName 2003Server | Format-List
While informational, this isn’t to useful yet, although I can see what Event logs exist on this machine.
To get INTO the event logs and see the contents, we need to use a different WMI class – Win32_NTLogEvent
Get-WmiObject Win32_NTLogEvent
However, all this will give us is a long list of every event in every event log. Not all that useful. By using the WHERE cmdlet we can severely limit the output to one log only. For example
Get-WmiObject Win32_NTLogEvent -ComputerName 2003Server | where {$_.logfile -eq "System"}
returns every event log in the System event log. Again, to much information. Let’s limit the output again by expanding our WHERE cmdlet and adding some formatting, and selecting only the fields we want :
Get-WmiObject Win32_NTLogEvent -ComputerName 2003Server | where {$_.logfile -eq "System" -AND $_.type -EQ "Error”} | Select TimeGenerated, Message | Format-Table –Auto
You’ll notice though that this takes several minutes to return and is nowhere near as efficient as the built-in event log cmdlets. A different way to run the same query would be:
Get-WmiObject -query " Select Logfile, Eventcode, TimeGenerated, Message from Win32_NTLogEvent where LogFile='Application' AND EventCode='1001'" | Select TimeGenerated, Message | Format-List
Notice that each query needs a bit of time to run as the event log is parsed every time a query is run. A more efficient way to do this would be to dump an entire event log into a variable periodically and search the variable. But that’s going to be for another post.