How to filter event log more efficiently.
Many of the times, we might need to dig deep into the event log, which might not be easily available through default fields available. For example, below event contains much more information than it displays in the event log.
Log Name: Microsoft-Windows-GroupPolicy/Operational
Source: Microsoft-Windows-GroupPolicy
Date: 5/27/2013 2:08:57 PM
Event ID: 7004
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: PC1.fabrikam.com
Description:
Manual processing of policy failed for computer fabrikam\PC1$ in 243 seconds.
Event Xml:
<Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{fEAgB4h-97j1-45k2-A64C-4D69FFFD92C9}" />
<EventID>7004</EventID>
<Version>1</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2013-05-27T02:08:57.106317800Z" />
<EventRecordID>138644</EventRecordID>
<Correlation ActivityID="{2B97A5FB-108B-4FtB-BCy8-A8uAE40C1E42}" />
<Execution ProcessID="640" ThreadID="3040" />
<Channel>Microsoft-Windows-GroupPolicy/Operational</Channel>
<Computer> PC1.fabrikam.com</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="PolicyElaspedTimeInSeconds">243</Data>
<Data Name="ErrorCode">1053</Data>
<Data Name="PrincipalSamName">FABRIKAM\PC1$</Data>
<Data Name="IsMachine">1</Data>
<Data Name="IsConnectivityFailure">false</Data>
</EventData>
</Event>
A simple filter around critical/errors/warning on this provider would look like this:
PS C:\WINDOWS\system32> $query = @”
<QueryList>
<Query Id="0" Path="Microsoft-Windows-GroupPolicy/Operational">
<Select Path="Microsoft-Windows-GroupPolicy/Operational">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
</Query>
</QueryList>
“@
PS C:\WINDOWS\system32> Get-WinEvent -FilterXml $query
ProviderName: Microsoft-Windows-GroupPolicy
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/27/2013 2:08:57 PM 7004 Error Manual processing of policy failed for computer FABRIKAM\PC1$ in 243 seconds.
5/27/2013 1:18:28 PM 7004 Error Manual processing of policy failed for computer FABRIKAM\PC1$ in 0 seconds.
5/27/2013 1:18:28 PM 7326 Error Group Policy failed to discover the Domain Controller details in 0 milliseconds.
5/27/2013 12:27:03 PM 7004 Error Manual processing of policy failed for computer FABRIKAM\PC1$ in 251 seconds.
5/27/2013 11:32:52 AM 7004 Error Manual processing of policy failed for computer FABRIKAM\PC1$ in 0 seconds.
.
.
.
.
Let’s check the first event and try to see what it displays by default
PS C:\WINDOWS\system32> Get-WinEvent -FilterXml $query | select -First 1 | fl *
Message : Manual processing of policy failed for computer fabrikam\pc1$ in 243 seconds.
Id : 7004
Version : 1
Qualifiers :
Level : 2
Task : 0
Opcode : 2
Keywords : 4611686018427387904
RecordId : 138644
ProviderName : Microsoft-Windows-GroupPolicy
ProviderId : aea1b4fa-97d1-45f2-a64c-4d69fffd92c9
LogName : Microsoft-Windows-GroupPolicy/Operational
ProcessId : 640
ThreadId : 3040
MachineName : pc1.fabrikam.com
UserId : S-1-5-18
TimeCreated : 5/27/2013 2:08:57 PM
ActivityId : 2b97a5fb-108b-4fdb-bcc8-a85ae40c1e42
RelatedActivityId :
ContainerLog : Microsoft-Windows-GroupPolicy/Operational
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Error
OpcodeDisplayName : Stop
TaskDisplayName :
KeywordsDisplayNames : {}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty...}
Convert it to XML:
PS C:\WINDOWS\system32> [xml]$evt1 =(Get-WinEvent -FilterXml $query | select -First 1).toXML() # Cast it with [ xml ]
PS C:\WINDOWS\system32> $evt1
Event
-----
Event
PS C:\WINDOWS\system32> $evt1.Event.EventData
Data
----
{PolicyElaspedTimeInSeconds, ErrorCode, PrincipalSamName, IsMachine...}
PS C:\WINDOWS\system32> $evt1.Event.EventData.Data
Name #text
---- -----
PolicyElaspedTimeInSeconds 241
ErrorCode 1053
PrincipalSamName fabrikam\pc1$
IsMachine 1
IsConnectivityFailure false
PS C:\WINDOWS\system32> $evt1.Event.System
Provider : Provider
EventID : 7004
Version : 1
Level : 2
Task : 0
Opcode : 2
Keywords : 0x4000000000000000
TimeCreated : TimeCreated
EventRecordID : 138660
Correlation : Correlation
Execution : Execution
Channel : Microsoft-Windows-GroupPolicy/Operational
Computer : pc1.fabrikam.com
Security : Security
Now, you can see we have control over EventData and System channel, as we could see in XML format of the Event. Let’s see if we want to filter out events only containing the error code 1053 and export them to a file, here is how it could look like:
PS C:\WINDOWS\system32> $file = New-Item -Name log1053.txt -Path c:\temp -Force -type file
PS C:\WINDOWS\system32> Get-WinEvent -FilterXml $query | %{
$evt = [xml]$_.toxml(); # Cast here with [ xml ]
if($evt.Event.EventData.Data | ?{$_.'#text' -eq 1053 -and $_.name -eq "errorcode"})
{
$_ | fl * | Out-File $file -Append
}
}
Hope this is helpful.