Collecting Event logs from one or multiple comoputers using either FilterXPath or FilterHashtable. Formatting of logs is optional. Multi-threading for performance is supported.
#the users must have permission to read Event logs from computer
#query local computer for EventID 1309 for the last 7 days using pipelining
(Get-ADComputer $env:COMPUTERNAME ).Name | .\Collect-Event.ps1 -Verbose -ID 1309 -StartTime (Get-Date).AddDays(-7) -Logname application
#query Exchange mailbox servers for EventID 1309 for the last 7 days using pipelining
Get-MailboxServer | .\Collect-Event.ps1 -Verbose -ID 1309 -StartTime (Get-Date).AddDays(-7) -LogName application
#query Exchange mailbox servers for EventID 1309 for the last 7 days using multi threading and formating the output using pipelining
Get-MailboxServer | .\Collect-Event.ps1 -Verbose -ID 1309 -StartTime (Get-Date).AddDays(-7) -LogName application -MultiThread -FormatOutput
#query the first 3 EVTX files for EventIDs 1309,4999 on local computer using pipelining
Get-ChildItem C:\Windows\System32\winevt\Logs -Filter *.evtx | select -First 3 | .\Collect-Event.ps1 -Verbose -ID 1309,4999 -LogName Application
#query Application and System EVTX files for EventIDs 1309,4999 on local computer providing the files to parameter FilePath
.\Collect-Event.ps1 -Verbose -ID 1309,4999 -FilePath "C:\Windows\System32\winevt\Logs\Application.evtx","C:\Windows\System32\winevt\Logs\System.evtx"
#query Application and System log for any entries, which have a value of 4420 using XPath as filter
Get-MailboxServer | .\Collect-Event.ps1 -LogName System,Application -FilterXPath "*[EventData[Data[@Name]='4420']] or *[UserData/*/*='4420']" -Verbose -FormatOutput -MultiThread
One or multiple computers, which will be queried. Supports pipeliening. Cannot be combined with parameter FilePath
One or multiple files in EVTX format, which will be queried. Supports pipelining. Cannot be combined with parameter ComputerName.
Specifies the event logs that this cmdlet get events from. Enter the event log names in a comma-separated list. Wildcards are permitted.
One or multiple providers as filter.
One or multiple keywords as filter. As Get-WinEvent takes filter only in LONG format, I converted the numbers into names. Accepts only the following names:
AuditFailure, AuditSuccess, CorrelationHint, EventLogClassic, ResponseTime, Sqm, WdiContext, WdiDiagnostic
One or multiple EventIDs as filter.
One or multiple Evet Level as filter. As Get-WinEvent takes levels only as INT, I converted the numbers into names. Accepts only the following names:
Critical, Error, Warning, Information, Verbose
Timestamp as filter after all events will be queried.
Timestamp as filter before all events will be queried.
SID as filter.
One or multiple strings as filter.
Use XPath as filter.
Specifies the maximum number of events that this cmdlet gets. Enter an integer. The default is to return all the events in the logs or files.
Gets debug and analytic logs, in addition to other event logs. The Force parameter is required to get a debug or analytic log when the value of the name parameter includes wildcard characters.
Indicate that this cmdlet gets the events in oldest-first order. By default, events are returned in newest-first order.
Specifies a user account that has permission to perform this action. The default value is the current user.
Switch to format the result.
Format of timestamp, when using parameter FormatOutput. Default is 'yyyy-MM-dd HH:mm:ss'.
Switch to use multi threading when querying multiple computers. Only available when using parameter ComputerName
Number of threads created when using parameter MultiThread. Default is 15 and maximum value is 20.
For more information on this script, as well as usage and examples, see the related blog article on The Clueless Guy.
This project is licensed under the MIT License - see the LICENSE.md for details.