Parsing Event Logs with Powershell

Here’s something for every Administrator out there, parsing the event logs in Windows quickly and easily.

In Powershell, there is the “Get-EventLog” command.

And do you know HOW EASY it is to use?  And it works on both LOCAL and REMOTE eventlogs (Presuming permissions, etc etc etc)

Here’s the basic command line

    Get-EventLog [-AsString] [-ComputerName <string[]>] [-List] [<CommonParameters>]

    Get-EventLog [-LogName] <string> [[-InstanceId] <Int64[]>] [-After <DateTime>] [-AsBaseObject] [-Before <DateTime>] [-ComputerName <string[]>] [-EntryType <string[]>] [-Index <Int32[]>] [-Message <string>] [-Newest <int>] [-Source <string[]>] [-UserName <string[]>] [<CommonParameters>]

Now I’m going to break that down into something SIMPLE and USEFUL

All you REALLY need to know to WORK with this is a simple command. “-like”

So here we’re going to get my Application Log for any time it had OUTLOOK crash

GET-EVENTLOG –LOGNAME Application | where { $-.Message –like “*outlook*” }

All that does is do wildcard search for the word Outlook ANYWHERE in the message.   If you’ve ever tried digging through the event Logs, you know what it’s like.  The Filter option JUST doesn’t cut it when you want to filter out the contents of the error messages.

Here in Powershell land?  Well we’re just getting started!

You can search FAILURE AUDITS for a particular user too!  Now of course you have to have the appropriate logging turned on first.   And the second Caveat is you HAVE to run Powershell “As Administrator” (Right Click, run as Administrator) as the Security logs are, shall we say, a little special.

But with that SAME command and an extra parameter –COMPUTERNAME I can find every time some failed to type his/her password properly.

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { $-.EntryType –eq “FailureAudit” }

And if you PIPE that into an EXPORT-CSV like so


You can have logs you can dig through with Excel. 

But wait!  There’s more.

I can get REALLY granular!  I can look for which USER was failing on their password and filter THEM into an even smaller log.  Because Powershell (unlike the Eventviewer Filter) can SEE and Filter out results in the Message field!

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { ($-.EntryType –eq “FailureAudit”) –and (*-.Message –like “*JOHN.SMITH*”) }

And of course like before, you can pipe all of this into a useful CSV file.  This output as well contains ALL the details from the event Log, including Dates and Times!

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { ($-.EntryType –eq “FailureAudit”) –and (*-.Message –like “*JOHN.SMITH*”) } | EXPORT-CSV C:BADPW.CSV

This is why I love Powershell.   Without any real difficulty, it make’s Administrator’s life SOOO Much easier.  And more productive.

The Energized Tech


Did you hear the news?


Caught this in Twitter from the @MICROSOFT feed.  Here’s the posting for all to see

Oh read it and sing! YES!   The SINGLE greatest day in HISTORY is HERE!

I’d be dancing and singing about in my cubicle right now if it weren’t for the fact that I would get “called out” for it 🙂

But *sniff* It’s HERE!!!!!! I’m WATCHING my Technet subscription right now like a hawk.

Windows 7 !  Redmond!  Microsoft!  THANK YOU for RTM so quick.

Tomorrow is going to be a fantastic day and the future even better.

7 is here.

Installing GFI Faxmaker NETPRINTQUEUE2FAX drivers in Windows Vista / Server 2008

Well I had a real head scratcher.

Had to setup a feature on a pc called “NETPRINTQUEUE2FAX” from GFI.  The procedure is dead simple.

Add UNC Virtual printer from GFI Fax server (just like adding any other printer)

Send documents to Printer with formatted commands.

Sit back and enjoy Frosty Beverages from a job well done.

Or that’s how it was supposed to be.  I knew there was nothing wrong with the server.   The guy that put it together was my boss who really knows his stuff.

And when I asked him “Hey, did you ever get the following problems adding this feature before?” He looked at me as if I had big pink antennae coming out of my head and I was wear a large fluffy koala bear for shoes.

Yes.  This seemed to be a truly dumb question waiting for an answer.

But I plugged away at it.   Here’s what happened.  On an X64 Server 2008 box, you would connect to the printer, life was good and nothing worked when you sent to the printer.  No errors, No application logs saying anything.

Not even a peep.

So I decided to go the other path.  Try the 32bit driver instead.

It looked at me and laughed.

When I added the 32 bit driver on a 32 bit Vista machine it kept WHINING and COMPLAINING about “I can’t find FAXMAKER.CAT”

So I searched.  I dug through GIGS and GIGS of file storage.  This file didn’t exist!

I pulled off a couple of tricks and yanked the MSI files for both the 64 bit version and the 32 bit version out of the TEMP folders.  And running a neat little trick from this article on I pulled out ALL the files the installers dumped.

But try as I might.  This file was from the PHANTOM ZONE!

Then I thought, let’s try a different approach.  Let’s add the driver first.  If the driver files are REALLY corrupt, then they won’t add.

And so I did.  I went to the list of printers.  I pulled up “File/Run as Administrator/Server Properties” to get my list of drivers.   I added the driver manually, browsed to the folder on GFI where the drivers were kept and SURPRISE!

And what do you think popped up in front of me the minute I tried?  This lovely little message


Hmmm so it appears the drivers were failing halfway through the install.  An no error message either!  Thanks a lot GFI!

So I manually added the drivers to each computer through the Printer console.  Both the 64bit *AND* the 32bit gave the same error.  But after being added FIRST and agreeing to the evil red error message, connecting to the NETPRINTQUEUE2FAX printer afterwards was fine.   In fact I was actually sending faxes with no problem.

So if you’re running GFI Faxmaker banging your head against the wall WHY the NETPRINTQUEUE2FAX isn’t working in Vista?  Take this answer and use it.

And *ahem*.  Somebody give GFI a little kick in the pants for lack of Quality Control.