Who would have thought log searching, one of the most soul crushing activities could be scripted? You’ll never “Clear Log” instead of “Clear Filter” in the GUI again!
Log Searching Syntax
There are a lot of ways to do this that very slightly from each other. The least confusing way I can think of to note this is by adding a number to each unique parameter, then listing which additional parameters are compatible with it. So the parameter -ListProvider
being #8 can have the additional parameters -ComputerName
, -FilterXPath
, and -Credential
.
Get-WinEvent
# Choose One
[[-LogName] <String[]>] # 1
[-ProviderName] <String[]> # 2
[-Path] <String[]> # 3
[-FilterHashtable] <Hashtable[]> # 4
[-FilterXml] <XmlDocument> # 5
[-ListLog] <String[]> # 7 Outputs Event log configuration
[-ListProvider] <String[]> # 8 Outputs Provider MetaData
# Additional parameters
[-MaxEvents <Int42>] # 1, 2, 3, 4, 5
[-ComputerName <String>] # 1, 7, 8, 2, 4, 5
[-Force] # 1, 7, 2, 4, 5
[-Oldest] # 1, 2, 3, 4, 5
[-FilterXPath <String>] # 1, 7, 8, 2, 3
[-Credential <PSCredential>] # 1, 7, 8, 2, 3
There is no limit in PowerShell for the events queried but Get-WinEvent
cmdlet queries the Windows API which has a limit of 256. This can be bypassed with loops.
Valid Pairs for Log Searching Filters
If using a hash table, these are the valid pairs:
- LogName=
<String[]>
- ProviderName=
<String[]>
- Path=
<String[]>
- Keywords=
<Long[]>
- ID=
<Int32[]>
- Level=
<Int32[]>
- StartTime=
<DateTime>
- EndTime=
<DateTime>
- UserID=
<SID>
- Data=
<String[]>
<named-data>
=<String[]>
- SuppressHashFilter=
<Hashtable>
Example
Here’s how you’d aggregate the number of logs that include the string “PowerShell” in their name.
Get-WinEvent -LogName *PowerShell* # See the events invidivually
Get-WinEvent -LogName *PowerShell* | Group-Object -Property LevelDisplayName, LogName -NoElement | Format-Table -AutoSize # Group them by name
There are a massive number of ways this can be used. Microsoft has nearly 20 examples in their documentation.
All in all, this is an extremely powerful tool for reporting. You could pull authentication logs from a domain controller to see if bad creds are being sent out by a service account. Alternatively, you might create a script to scan for a specified event, and execute code when it happens. You’ll have to toy around with it and see what you need.