by willsteele at 2012-09-10 08:10:20
Ok, the presumption of the question is that it can be done. But, is there a way to look at all event logs on a 2008 R2 server? I have a specific window of time in which an event occurred. What I need to do it see if I can cross-reference something in the logs with the time stamp. One way I can think of doing it would be to iterate through a list of all event logs, but, I wanted to see if there was another way to do it first.by DonJ at 2012-09-10 08:37:14
Well, it can be done - but one at a time. There’s no "give me every log event you have globally" API. So you’ll have to iterate. It’ll be ugly.by willsteele at 2012-09-10 08:44:48
Yeah, that’s kind of what I thought. Would be nice if there was an XPath way I could do it. Hmmm. First I need to get my server guy to install .NET 3.5 so I can use the cmdlets. Shaking my head…by coderaven at 2012-09-10 10:20:01
The only way I can see you doing it with out doing every log file once at a time with Get-WinEvent is to use Get-WMIObject -Class Win32_NTLogEvent. It will pull every event but it can take a while I suggest you use the -Query switch and filter for exactly what you are looking for instead of getting all object and then filtering.by surveyor at 2012-09-10 10:53:56
This little snippet searches in all Eventlogs for message with error in the text.by willsteele at 2012-09-10 11:41:21Get-WmiObject -Query "select LogFile,Message from Win32_NTLogEvent where Message like '%error%'" | Group-Object -Property LogFile
WMI gave me a new error I’ve never seen. Makes sense. Just funny to hear the ship let out a big creak in a new way.by coderaven at 2012-09-10 14:09:45$events = Get-WmiObject -Class win32_ntlogevent | Where {($.TimeGenerated -gt ‘201209081700.000000
-000’) -and ($.TimeGenerated -lt ‘201209081800.000000-000’)}
Get-WmiObject : Quota violation
At line:1 char:24
+ $events = Get-WmiObject <<<< -Class win32_ntlogevent | Where {($.TimeGenerated -gt ‘201209081700.000000-000’) -and
($.TimeGenerated -lt ‘201209081800.000000-000’)}
+ CategoryInfo : InvalidOperation: ([Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
An associated link for any WMI folks out there in case you ever face something like this. Pretty useful one: http://blogs.technet.com/b/askperf/archive/2008/09/16/memory-and-handle-quotas-in-the-wmi-provider-service.aspx
The sheer number of records coming from Win32_NTLogEvent means you would need to rather filter with the -Query.$events = Get-WMIObject -Query "SELECT * From Win32_NTLogEvent Where TimeGenerated >='20120908 17:00' and TimeGenerated < `'20120908 18]