PowerShell/Event Logs

This lesson introduces PowerShell event log processing.

Objectives and Skills
After completing this lesson, you will be able to:
 * Describe basic PowerShell event concepts.
 * Create PowerShell scripts to process events.

Readings

 * 1)  Event Viewer
 * 2) Microsoft Support: How to View and Manage Event Logs in Event Viewer
 * 3) BonusBits: Mastering PowerShell Chapter 17 - Processes, Services, Event Logs

Multimedia

 * 1) YouTube: Manage Event Logs From The Event Viewer to Find Windows 7 Related Problems
 * 2) YouTube: How to look for Unexpected Shutdown/User Restarts/BSOD using powershell and get-eventlog

Get-EventLog
The Get-EventLog cmdlet gets events and event logs on local and remote computers. Get-EventLog works only on classic event logs. To get events from logs that use the Windows Event Log technology in Windows Vista and later versions of Windows, use Get-WinEvent.

Get-WinEvent
The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista.

Selecting Event Properties
The Select-Object cmdlet may be used to select specific event properties, and rename them as desired.

New-EventLog
The New-EventLog cmdlet creates a new classic event log on a local or remote computer. It can also register an event source that writes to the new log or to an existing log.

Write-EventLog
The Write-EventLog cmdlet writes an event to an event log.

Show-EventLog
The Show-EventLog cmdlet opens Event Viewer on the local computer and displays in it all of the classic event logs on the local computer or a remote computer.

Limit-EventLog
The Limit-EventLog cmdlet sets the maximum size of a classic event log, how long each event must be retained, and what happens when the log reaches its maximum size.

Clear-EventLog
The Clear-EventLog cmdlet deletes all of the entries from the specified event logs on the local computer or on remote computers.

Remove-EventLog
The Remove-EventLog cmdlet deletes an event log file from a local or remote computer and unregisters all of its event sources for the log. CAUTION: This cmdlet can delete operating system event logs, which might result in application failures and unexpected system behavior.

Activities

 * 1) Review Microsoft TechNet: Processing Event Logs in PowerShell. Create a script that uses Get-WinEvent to retrieve Windows events:
 * 2) * Filter events to select both warning and error events (levels 2 and 3) for the previous 24 hours (1 day).
 * 3) * Use Format-List * to see all available event properties and their default names. For the script, select only the properties for Level, Time, Source, Event, Task, and Message and label them accordingly.
 * 4) * Use Sort-Object to sort the events in ascending order by time.
 * 5) * Use Format-List to format the events as a list and then use Out-String to format the output so that it does not exceed 100 characters in width.
 * 6) Review Microsoft TechNet: Use PowerShell to Create and to Use a New Event Log and How to Use PowerShell to Write to Event Logs. Create a script that uses a new event log:
 * 7) * Use New-EventLog to create a new event log and event source.
 * 8) * Use Write-EventLog to add an event to the new event log.
 * 9) * Use Limit-EventLog to limit the size of the new event log to 1MB.
 * 10) * Use Show-EventLog to view the new log and event in the Event Viewer. View properties for the log to verify the size limit.
 * 11) Review Microsoft TechNet: PowerShell.exe Command-Line Help and Microsoft TechNet: Trigger a PowerShell Script from a Windows Event. Create a script that responds to an event:
 * 12) * Create a new script with a single line of Show-EventLog. Save the file with a simple path and filename, such as c:\Events.ps1.
 * 13) * Run the Events.ps1 script to verify that it opens the Event Viewer. View the new log and event in the Event Viewer.
 * 14) * In Event Viewer use Attach Task to This Event to start PowerShell.exe with the arguments -file C:\Events.ps1 to run your script when the event occurs.
 * 15) * Open Task Scheduler and confirm that your task has been added to Event Viewer Tasks in the Task Scheduler Library.
 * 16) * Close Event Viewer.
 * 17) * Use Write-Event to add the same event to the event log again. Confirm that the event causes Event Viewer to be displayed.
 * 18) * Use Clear-EventLog to clear the event log. Refresh the view in Event Viewer to confirm that the log was cleared.
 * 19) * Use Remove-EventLog to remove the event log. Be sure to use the -Confirm option to confirm which log is being removed, and then refresh the view in Event Viewer to confirm that the log was removed.
 * 20) * Clean up by using Task Scheduler to delete the Event Viewer Task and using Windows Explorer to delete the C:\Events.ps1 script file.

Lesson Summary

 * Event Viewer lets administrators and users view the event logs on a local or remote Windows computer.
 * Applications and operating-system components can use the centralized event log service to report events that have taken place.
 * Event logs can be remotely viewed from other computers and multiple event logs can be centrally logged and monitored agentlessly and managed from a single computer.
 * Events can also be directly associated with tasks, which run in the Task Scheduler and trigger automated actions when particular events take place.
 * The Get-EventLog cmdlet gets events and event logs on local and remote computers. Get-EventLog works only on classic event logs. To get events from logs that use the Windows Event Log technology in Windows Vista and later versions of Windows, use Get-WinEvent.
 * The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista.
 * The Select-Object cmdlet may be used to select specific event properties, and rename them as desired.
 * The New-EventLog cmdlet creates a new classic event log on a local or remote computer. It can also register an event source that writes to the new log or to an existing log.
 * The Write-EventLog cmdlet writes an event to an event log.
 * The Show-EventLog cmdlet opens Event Viewer on the local computer and displays in it all of the classic event logs on the local computer or a remote computer.
 * The Limit-EventLog cmdlet sets the maximum size of a classic event log, how long each event must be retained, and what happens when the log reaches its maximum size.
 * The Clear-EventLog cmdlet deletes all of the entries from the specified event logs on the local computer or on remote computers.
 * The Remove-EventLog cmdlet deletes an event log file from a local or remote computer and unregisters all of its event sources for the log.
 * The PowerShell.exe command-line parameter -File runs the specified script.

Key Terms

 * Task Scheduler
 * A component of Microsoft Windows that provides the ability to schedule the launch of programs or scripts at pre-defined times or after specified time intervals.

Assessments

 * Flashcards: Quizlet: Windows PowerShell - Event Logs
 * Quiz: Quizlet: Windows PowerShell - Event Logs