Created
June 17, 2016 12:53
-
-
Save jdhitsolutions/528f48c7cb135f0d6d7b2271b5a616b1 to your computer and use it in GitHub Desktop.
This PowerShell function will use the CIM cmdlets to gather information about classic style event log files.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -version 3.0 | |
| Function Get-EventLogFile { | |
| <# | |
| .SYNOPSIS | |
| Get information about classic event logs | |
| .DESCRIPTION | |
| This command will use the CIM cmdlets to gather information about event log files. The default is to display all classic style event logs or you can select a specific one by name. | |
| Use the List parameter to quickly list the log name and number of records. This does not get the entire event log object so it is a little bit faster. | |
| .PARAMETER Computername | |
| The NETBios or FQDN of a remote computer. You can also use the alias 'CN'. | |
| .PARAMETER CimSession | |
| A Cimsession object to a remote computer. You can also use the alias 'CS'. | |
| .PARAMETER Name | |
| The name of a specific event log. | |
| .PARAMETER ListOnly | |
| Get only the logname and number of records. The primary purpose for this parameter is to quickly list log names without retrieving the entire object. | |
| .PARAMETER SkipEmptyLog | |
| Skip event logs with 0 entries. | |
| .PARAMETER OperationTimeoutSec | |
| Specifies the amount of time that the cmdlet waits for a response from the computer.By default, the value of this parameter is 0, which means that the cmdlet uses the default timeout value for the server. | |
| If the OperationTimeoutSec parameter is set to a value less than the robust connection retry timeout of 3 minutes, network failures that last more than the value of the OperationTimeoutSec parameter are not recoverable, because the operation on the server times out before the client can reconnect. | |
| .EXAMPLE | |
| PS C:\> Get-EventLogFile -computername chi-p50 | |
| Computername : CHI-P50 | |
| Log : Application | |
| NumberOfRecords : 1300 | |
| Path : C:\WINDOWS\System32\Winevt\Logs\Application.evtx | |
| SizeMB : 1.07 | |
| MaxSizeMB : 20 | |
| PctUsed : 5.33 | |
| LastModified : 6/15/2016 9:37:19 AM | |
| ModifiedAge : 05:16:23.2285115 | |
| Computername : CHI-P50 | |
| Log : DNS Server | |
| NumberOfRecords : 535 | |
| Path : C:\WINDOWS\System32\Winevt\Logs\DNS Server.evtx | |
| SizeMB : 1.07 | |
| MaxSizeMB : 100 | |
| PctUsed : 1.07 | |
| LastModified : 6/15/2016 9:37:20 AM | |
| ModifiedAge : 05:16:21.5171060 | |
| ... | |
| .EXAMPLE | |
| PS C:\> Get-CimSession | Get-EventLogFile | Sort PctUsed -descending | Out-Gridview -title "Event Logs" | |
| .EXAMPLE | |
| PS C:\> Get-EventLogFile -Name application -Computername chi-web02 | |
| Computername : CHI-WEB02 | |
| LogName : Application | |
| NumberOfRecords : 7174 | |
| Path : C:\Windows\System32\Winevt\Logs\Application.evtx | |
| SizeMB : 5.07 | |
| MaxSizeMB : 20 | |
| PctUsed : 25.33 | |
| LastModified : 6/7/2016 10:36:07 AM | |
| ModifiedAge : 8.04:28:42.4684355 | |
| .EXAMPLE | |
| PS C:\> Get-EventlogFile -computername chi-dc04,chi-dc01,chi-p50 -name "DNS Server" | Format-Table -group @{Name="Computer";Expression={"$($_.Computername) - $($_.Path)"}} -property *Size*,PctUsed,NumberOfRecords | |
| Computer: CHI-DC04 - C:\Windows\System32\Winevt\Logs\DNS Server.evtx | |
| SizeMB MaxSizeMB PctUsed NumberOfRecords | |
| ------ --------- ------- --------------- | |
| 1.07 16 6.67 1503 | |
| Computer: CHI-P50 - C:\WINDOWS\System32\Winevt\Logs\DNS Server.evtx | |
| SizeMB MaxSizeMB PctUsed NumberOfRecords | |
| ------ --------- ------- --------------- | |
| 1.07 100 1.07 535 | |
| Computer: CHI-DC01 - C:\Windows\System32\Winevt\Logs\DNS Server.evtx | |
| SizeMB MaxSizeMB PctUsed NumberOfRecords | |
| ------ --------- ------- --------------- | |
| 1.07 16 6.67 2283 | |
| .EXAMPLE | |
| PS C:\> Get-EventLogFile chi-core01 -ListOnly | |
| Computername LogName NumberOfRecords | |
| ------------ ------- --------------- | |
| CHI-CORE01 Application 33834 | |
| CHI-CORE01 HardwareEvents 0 | |
| CHI-CORE01 Internet Explorer 0 | |
| CHI-CORE01 Key Management Service 0 | |
| CHI-CORE01 Operations Manager 32190 | |
| CHI-CORE01 Security 97428 | |
| CHI-CORE01 System 106947 | |
| CHI-CORE01 Windows PowerShell 11273 | |
| .EXAMPLE | |
| PS C:\> Get-CimSession | Get-EventLogFile -ListOnly -Name Security | |
| Computername LogName NumberOfRecords | |
| ------------ ------- --------------- | |
| CHI-P50 Security 30672 | |
| CHI-WEB02 Security 28260 | |
| .EXAMPLE | |
| PS C:\> get-eventlogfile -comp chi-dc01,chi-scom01,chi-sql01 -skip -ListOnly | Sort Computername,LogName | format-table -GroupBy Computername -property Logname,NumberOfRecords | |
| Computername: CHI-DC01 | |
| LogName NumberOfRecords | |
| ------- --------------- | |
| Active Directory Web Services 4192 | |
| Application 30358 | |
| DFS Replication 2033 | |
| Directory Service 2454 | |
| DNS Server 2283 | |
| File Replication Service 1460 | |
| Operations Manager 23323 | |
| Security 56140 | |
| System 42337 | |
| Windows PowerShell 18378 | |
| Computername: CHI-SCOM01 | |
| LogName NumberOfRecords | |
| ------- --------------- | |
| Application 7400 | |
| Operations Manager 17948 | |
| Security 28522 | |
| System 64870 | |
| Windows PowerShell 13678 | |
| Computername: CHI-SQL01 | |
| LogName NumberOfRecords | |
| ------- --------------- | |
| Application 26905 | |
| Operations Manager 30193 | |
| Security 34248 | |
| System 65403 | |
| Windows PowerShell 14105 | |
| Get a simple list of event logs, skipping those with 0 entries. | |
| .NOTES | |
| Version : 1.0 | |
| Last Updated : June 17, 2016 | |
| Learn more about PowerShell: | |
| http://jdhitsolutions.com/blog/essential-powershell-resources/ | |
| **************************************************************** | |
| DO NOT USE IN A PRODUCTION ENVIRONMENT UNTIL YOU HAVE TESTED | |
| THOROUGHLY IN A LAB ENVIRONMENT. USE AT YOUR OWN RISK. IF | |
| YOU DO NOT UNDERSTAND WHAT THIS SCRIPT DOES OR HOW IT WORKS, | |
| DO NOT USE IT OUTSIDE OF A SECURE, TEST SETTING. | |
| **************************************************************** | |
| .LINK | |
| Get-CimInstance | |
| .LINK | |
| Get-EventLog | |
| .INPUTS | |
| [string] | |
| [cimsession] | |
| .OUTPUTS | |
| [pscustomobject] | |
| #> | |
| [CmdletBinding(DefaultParameterSetName="Computername")] | |
| Param | |
| ( | |
| [Parameter( | |
| ParameterSetName = "Computername", | |
| ValueFromPipelineByPropertyName, | |
| ValueFromPipeline, | |
| Position=0 | |
| )] | |
| [ValidateNotNullorEmpty()] | |
| [Alias("cn")] | |
| [string[]]$Computername = $env:Computername, | |
| [Parameter( | |
| ParameterSetName = "Session", | |
| ValueFromPipeline | |
| )] | |
| [Alias("cs")] | |
| [ValidateNotNullorEmpty()] | |
| [Microsoft.Management.Infrastructure.CimSession[]]$CimSession, | |
| [Parameter(ParameterSetName = "Computername")] | |
| [Parameter(ParameterSetName = "Session")] | |
| [ValidateNotNullorEmpty()] | |
| [string]$Name, | |
| [Parameter(ParameterSetName="Computername")] | |
| [Parameter(ParameterSetName="Session")] | |
| [switch]$ListOnly, | |
| [Parameter(ParameterSetName="Computername")] | |
| [Parameter(ParameterSetName="Session")] | |
| [switch]$SkipEmptyLog, | |
| [alias("timeout")] | |
| [uint32]$OperationTimeoutSec | |
| ) | |
| Begin { | |
| Write-Verbose "[BEGIN ] Starting: $($MyInvocation.Mycommand)" | |
| #display PSBoundparameters formatted nicely for Verbose output | |
| [string]$pb = ($PSBoundParameters | format-table -AutoSize | Out-String).TrimEnd() | |
| Write-Verbose "[BEGIN ] PSBoundparameters: `n$($pb.split("`n").Foreach({"$("`t"*4)$_"}) | Out-String) `n" | |
| $PSBoundParameters.Add("Classname","Win32_NTEventLogFile") | |
| $PSBoundParameters.Add("ErrorAction","Stop") | |
| #define a set of Properties to return | |
| $Properties = @{Name="Computername";Expression={$_.CSName}}, | |
| @{Name="LogName";Expression={$_.LogFileName}}, | |
| "NumberOfRecords", | |
| @{Name="Path";Expression={$_.Name}}, | |
| @{Name="SizeMB";Expression = {[math]::Round($_.FileSize/1MB,2)}}, | |
| @{Name="MaxSizeMB";Expression = {$_.MaxFileSize/1MB -as [int]}}, | |
| @{Name="PctUsed";Expression= {[math]::Round(($_.FileSize/$_.maxFileSize)*100,2)}}, | |
| "LastModified", | |
| @{Name="ModifiedAge";Expression={(Get-Date) - $_.LastModified}} | |
| #create a filter if $Name is specified | |
| if ($Name) { | |
| #remove from PSBoundparameters | |
| $PSBoundParameters.Remove("Name") | Out-Null | |
| $filter = "logfilename = '$Name'" | |
| Write-Verbose "[BEGIN ] Adding filter: $filter" | |
| $PSBoundParameters.Add("Filter",$filter) | |
| } | |
| if ($SkipEmptyLog -And $Name) { | |
| #update existing filter | |
| #remove from PSBoundparameters | |
| $PSBoundParameters.Remove("SkipEmptyLog") | Out-Null | |
| $filter+= " AND NumberofRecords<>0" | |
| Write-Verbose "[BEGIN ] Updating filter: $filter" | |
| $PSBoundParameters.Filter = $filter | |
| } | |
| elseif ($SkipEmptyLog) { | |
| #remove from PSBoundparameters | |
| $PSBoundParameters.Remove("SkipEmptyLog") | Out-Null | |
| #create filter to only filter out logs with no records | |
| $filter+= "NumberofRecords<>0" | |
| Write-Verbose "[BEGIN ] Adding filter: $filter" | |
| $PSBoundParameters.Add("Filter",$filter) | |
| } | |
| if ($ListOnly) { | |
| #update PSBoundparameters | |
| #limit Get-CimInstance to only retrieving the required | |
| #properties which should speed up the query. | |
| $PSBoundParameters.Add("Property", @("Logfilename","NumberofRecords","CSName")) | |
| $PSBoundParameters.Remove("ListOnly") | Out-Null | |
| #define a list properties | |
| $ListProperties = @{Name="Computername";Expression={$_.CSName}}, | |
| @{Name="LogName";Expression={$_.LogFileName}}, | |
| "NumberOfRecords" | |
| } | |
| } #begin | |
| Process { | |
| Write-Verbose "[PROCESS] Using parameter set: $($PSCmdlet.parameterSetName)" | |
| #PSBoundParameters might change depending on what is piped in | |
| [string]$pb = ($PSBoundParameters | Format-Table -AutoSize | Out-String).TrimEnd() | |
| Write-Verbose "[PROCESS] PSBoundparameters: `n$($pb.split("`n").Foreach({"$("`t"*4)$_"}) | Out-String) `n" | |
| Try { | |
| if ($ListOnly) { | |
| Get-CimInstance @PSBoundParameters | Select $ListProperties | |
| } | |
| else { | |
| Get-CimInstance @PSBoundParameters | Select $Properties | |
| } | |
| } | |
| Catch { | |
| Write-Error $_ | |
| } | |
| } #process | |
| End { | |
| Write-Verbose "[END ] Ending: $($MyInvocation.Mycommand)" | |
| } #end | |
| } #close function |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You can read more about this function here: http://bit.ly/1W3r7se