Powershell Event Log Filtering

I run across a fairly old Powershell script today that I had to use in order to get some information from the Security log of a Domain Controller. The domain controller has been around for a long time and the log was a bit large.

I run the script once and it took forever to complete so I decided to take a look under the hood...

First of all the script was using the Get-EventLog cmdlet which isn't the best thing...

I examined the script for the event id's of the entries we would like to get and then I replaced the Get-EventLog and Where-Object cmdlets with the Get-WinEvent and the XML filter for the events.

You may wonder, how are we going to build the XML filter for the WinEvent? Well, I'll show you a little trick. First we open Event Viewer, select the log and then select "Filter Current Log". A window will pop up and you'll have to fill the necessary fields. Wait, don't hit "OK" yet, switch to the XML tab and copy the query text.

Next, we're going to create an XML object using the text we got from the query window.

Finally, we will run Get-WinEvent -FilterXML $filter to get the events.

1
2
3
4
5
6
7
8
9
[xml]$filter = @"
<QueryList>
    <Query Id="0" Path="System">
    <Select Path="System">*[System[(EventID=6006)]]</Select>
    </Query>
</QueryList>
"@

Get-WinEvent -FilterXml $filter 


Popular posts from this blog

Syslog Message Collection for OMS from sources that do not support the agent

Generating Alerts On OMS

How to Configure Message Forwarding on a Mailbox Level