An old friend and classmate of mine, Zahid Faisal, wanted to know how to access/read event logs on a remote server using Windows PowerShell. I thought it was an interesting challenge, so after some research and playing around I found that you can make use of the WMI objects to do this.
Follow along to try it out:
1. Open PowerShell and type in the following:
PS C:\> $logs = [System.Diagnostics.EventLog]::GetEventLogs(‘servername’)
This will create a new EventLog object that uses the GetEventLogs method, which by the way, accepts a machine name as an argument. This is exactly what we’re looking for.
2. If the command did not return any errors, continue with the following:
PS C:\> $logs[0]
You should get something like this:
Max(K) Retain OverflowAction Entries Name
10,240 0 OverwriteAsNeeded 838 Application
The [0] after $logs is simply an array of the different types of event logs, which in this case, [0] equals the Application logs.
3. Next, the bread-and-butter – filtering:
PS C:\> $logs[0].entries | where `
>> {($_.Source -eq “Orion”) -AND ($_.TimeWritten -ge $recent)}
>>
By using the where object, we’re able to filter what we’re specifically looking for. In Zahid’s case, he wanted to grab the most recent logs that are only related to “Orion.”
Take note that this will only work if you’re an administrator on the remote server.
Hope this helps. =0)