'Get-WinEvent' in Powerhsell 2 when combined with ETL on Windows 7 allows exceptional event log queries. This function allows the administrator to create an array of all Event Logs and sort by 'time created' all those records created in the last (1) day:
function global:LatestLogEntries
{
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true,ValueFromPipeline=$true)]
[int32] $param1,
[string] $ErrorActionPreference="silentlycontinue"
)
$LogNames=(Get-Winevent -listlog * )
$goback = (get-date) - (new-timespan -days $param1 )
$LogNames | % {get-winevent -FilterHashTable @{LogName=$_.LogName;StartTime=$goback}}
}
LatestLogEntries 1 | sort -descending -property TimeCreated | ft -auto TimeCreated,LogName,ProviderName,RecordID,Message | more
There are over six hundred providers shipped with Windows 7. This function chooses all those providers nominally relevant to Network,Security, and IP and allows the administrator to sort by 'time created' the maximum amount of entries specified:
function global:NetSecIP_Entries
{
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true,ValueFromPipeline=$true)]
[int32] $param1,
[string] $ErrorActionPreference="silentlycontinue"
)
$Providers=Get-WinEvent -ListProviders *
$NetworkSecIP_Providers= $Providers | % {$_.Name} | findstr "Network Sec IP"
foreach ($provider_message in $NetworkSecIP_Providers) {get-winevent -max $param1 -provider $provider_message}
}
NetSecIP_Entries 20 | sort -descending -property TimeCreated | ft -auto TimeCreated,LogName,ProviderName,RecordID,Message | more
No comments:
Post a Comment