These are more advanced event queries than my last post. Creating queries as psobject properties improves query speeds.More intra-message searches as calculated properties are included below.
$Elements=New-Object PSObject -Property @{
Security_515X=get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)}
System=get-winevent -ea 0 -max 10000 -filterhashtable @{logname='System'}
Application=get-winevent -ea 0 -max 10000 -filterhashtable @{logname='Application'}
}
if ($All_Events) {rv -ea 0 All_Events}
$global:Events= foreach ($element in $Elements) {$element}
[array]$HAElements="Security_515X","System","Application"
foreach ($element in $HAElements){$All_Events+=$Events.$element}
$a=$All_Events | Sort -desc -property TimeCreated
Saturday, August 25, 2012
Wednesday, August 22, 2012
Thrashing memory with queries...(Part I)
These are some event log search queries. They all trash my memory in any Powershell session.
I have written them down for some reason. Probably so I can evolve more elegant solutions to such queries in the future.
foreach ($i in @("a","b","c","d","e")) {if ($i) {rv -ea 0 $i}}
$start=(get-winevent -log security -max 1).TimeCreated
$a=(get-winevent -ea 0 -max 50000 -filterhashtable @{logname='Security';ID=@(5156..5158)})
$c=(get-winevent -ea 0 -log System -max 10000) | Select TimeCreated,ProcessID,ThreadID,Message
$d=(get-winevent -ea 0 -log Application -max 10000) | Select TimeCreated,ProviderName,Message
$b=$a | Select TimeCreated,ProcessID,ThreadID, `
@{Name="Port";Expression={($_.Message | findstr /C:"Source Port:").replace("Source Port:"," ")}}, `
@{Name="Application";Expression={($_.Message | findstr /C:"Application Name:").replace("Application Name:"," ")}}
$e=@()
$e=($b + $c + $d) | sort -desc -property TimeCreated
$a.count;$b.count;$c.count;$d.count;$e.count
$e | ft -auto -wrap TimeCreated,Application,ProcessID,ThreadID,Port,Message
Subscribe to:
Posts (Atom)