Parsing Event Logs with Powershell

Here’s something for every Administrator out there, parsing the event logs in Windows quickly and easily.

In Powershell, there is the “Get-EventLog” command.

And do you know HOW EASY it is to use?  And it works on both LOCAL and REMOTE eventlogs (Presuming permissions, etc etc etc)

Here’s the basic command line

    Get-EventLog [-AsString] [-ComputerName <string[]>] [-List] [<CommonParameters>]

    Get-EventLog [-LogName] <string> [[-InstanceId] <Int64[]>] [-After <DateTime>] [-AsBaseObject] [-Before <DateTime>] [-ComputerName <string[]>] [-EntryType <string[]>] [-Index <Int32[]>] [-Message <string>] [-Newest <int>] [-Source <string[]>] [-UserName <string[]>] [<CommonParameters>]

Now I’m going to break that down into something SIMPLE and USEFUL

All you REALLY need to know to WORK with this is a simple command. “-like”

So here we’re going to get my Application Log for any time it had OUTLOOK crash

GET-EVENTLOG –LOGNAME Application | where { $-.Message –like “*outlook*” }

All that does is do wildcard search for the word Outlook ANYWHERE in the message.   If you’ve ever tried digging through the event Logs, you know what it’s like.  The Filter option JUST doesn’t cut it when you want to filter out the contents of the error messages.

Here in Powershell land?  Well we’re just getting started!

You can search FAILURE AUDITS for a particular user too!  Now of course you have to have the appropriate logging turned on first.   And the second Caveat is you HAVE to run Powershell “As Administrator” (Right Click, run as Administrator) as the Security logs are, shall we say, a little special.

But with that SAME command and an extra parameter –COMPUTERNAME I can find every time some failed to type his/her password properly.

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { $-.EntryType –eq “FailureAudit” }

And if you PIPE that into an EXPORT-CSV like so


You can have logs you can dig through with Excel. 

But wait!  There’s more.

I can get REALLY granular!  I can look for which USER was failing on their password and filter THEM into an even smaller log.  Because Powershell (unlike the Eventviewer Filter) can SEE and Filter out results in the Message field!

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { ($-.EntryType –eq “FailureAudit”) –and (*-.Message –like “*JOHN.SMITH*”) }

And of course like before, you can pipe all of this into a useful CSV file.  This output as well contains ALL the details from the event Log, including Dates and Times!

GET-EVENTLOG –LOGNAME Security –COMPUTERNAME CONTOSO-DC | { ($-.EntryType –eq “FailureAudit”) –and (*-.Message –like “*JOHN.SMITH*”) } | EXPORT-CSV C:BADPW.CSV

This is why I love Powershell.   Without any real difficulty, it make’s Administrator’s life SOOO Much easier.  And more productive.

The Energized Tech

Leave a Reply