need help understanding get-winevent

by torroth at 2012-12-09 19:05:33

So here is the problem:

List the last 50 entries in the System log using Get-WinEvent
Output 2 blank lines
List the last 50 entries in the Application log using Get-EventLog, sorting by Index
Output 2 blank lines
Using pipes, list the entries in the Application log using Get-EventLog that were written/generated in the last 30 days, sorting by Index

This is what I have so far with the script:

$entries = @(Get-winevent application -newest 50 | <br> Sort-Object Index)<br><br>foreach ( $element in $entries )<br>{ <br> $id = $element.Index.ToString()<br> $source = $element.Source.ToString()<br> $message = $element.Message.ToString()<br><br> Write-Host &quot;$id t $source tt $message"
}
$entries2 = @(Get-EventLog system -newest 50 | <br> Sort-Object Index | out-default)<br><br>foreach ( $element in $entries2 )<br>{ <br> $id = $element.Index.ToString()<br> $source = $element.Source.ToString()<br> $message = $element.Message.ToString()<br><br> Write-Host &quot;$id t $source tt $message"
}


Now it seems like the get-eventlog seems to be working but I can’t figure out how to get the get-winevent to work. I’ve search online but I’m just not finding anything that isn’t more than what I’m looking for. I am a real newb on this stuff. any help would be appreciated. Thanks in advance.
by DonJ at 2012-12-10 02:34:29
Can you give me an idea of your broader final goal here? I ask because you’re working a bit at cross-purposes with PowerShell; it’s not a text-based shell, and outputting formatted text like that isn’t its strongest suit. Is this data being consumed elsewhere after your script?

Also, have you looked at some of the examples in the help for Get-Event? It doesn’t use the same syntax as Get-EventLog. Take a look at http://technet.microsoft.com/en-us/libr … 49682.aspx - there’s a breakdown of the syntax and several good examples there. Get-WinEvent is definitely a little harder to use than Get-EventLog. I tend to prefer the latter if I’m getting to one of the old-style logs (Application, Security, System).

Consider dropping the Out-Default. You don’t specifically need it (like, ever), and in this case it might actually be working against you.
by torroth at 2012-12-10 03:31:21
Well as I said. this is what I am trying to do:

List the last 50 entries in the System log using Get-WinEvent
Output 2 blank lines
List the last 50 entries in the Application log using Get-EventLog, sorting by Index
Output 2 blank lines
Using pipes, list the entries in the Application log using Get-EventLog that were written/generated in the last 30 days, sorting by Index

I have to use get-winevent. I’ve looked at this site http://technet.microsoft.com/en-us/libr … 49682.aspx but I have no idea which one to use to access the application logs.
by nohandle at 2012-12-11 07:06:10
Ok, I am gonna just output to the screen with less events and and ordering by ID because I am not sure what you are reffering to as index.
Get-winevent -LogName 'System' -MaxEvents 1
"n&quot;<br>Get-winevent -LogName &#39;Application&#39; -MaxEvents 1 | Sort-Object Id<br>&quot;n"
$filter = [xml]@'
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]</Select>
</Query>
</QueryList>
'@
Get-winevent -FilterXML $filter | Sort-Object Id

The filter was created in the event viewer GUI, (or computer management) I just switched to the XML tab and copied it. Fast and easy way to filter logs by get-winevent.

I am not sure what are you planning to do with the output so I didn’t implemented any saving of the output to a file variable or somthing.

I can use the max events because the events are returned from the newest to the oldest. So max events 50 gives you the 50 newest ones.