Partager via


PowerShell–Script to export events to screen and/or to a CSV file from one or multiple machines

*** UPDATE *** Added a GUI wrapped around this script - you can check it out here ...

Type the following to see the latest examples:

 Get-Help .\Get-EventsFromEventLogs.ps1 –Examples

Type the following to see the full help:

 Get-Help .\Get-EventsFromEventLogs.ps1 –Full

 

Hi all !

Today I’ll give you a script that exports the events of your choice (you chose one or more Event IDs you want to export or one or more Event Sources), from one or multiple computers or servers. In this script I am also fixing events which description has carriage returns to ease up the Excel processing as I noticed when exporting Event logs as CSV from the Windows Event Viewer, events which descriptions had carriage returns were spanned across several Excel rows.

By default, the script will only output the events found on screen. You must specify the –ExportToFile switch to export the events found on a CSV file. This CSV file will be located in the same directory where the script is located, and will be formatted like the below - it will have the name or number of the first event D or source that you are searching the logs for:

 GetEventsFromEventLogs_EventIDorEventSource_Year-MONTH-DAY-Hour-Minute-Second.csv

- Example:

Launching

 .\Get-EventsFromEventLogs.ps1 -Computers Server01,Server02 -EventLevel Error,Critical –ExportToFile

got me the below file - with before the date the first event ID I was looking for:

 GetEventsFromEventLogs_916_2018-04-13-09-52-08.csv

Located on the same directory where my script is …

- Other Example of the script’s full execution:

 .\Get-EventsFromEventLogs.ps1 -Computers $(Get-ExchangeServer) –EventLogName Application -EventSource "MSExchange ADAccess","MSExchangeADTopology" -NumberOfLastEventsToGet 30 -EventLevel Warning,Error -ExportToFile

Note here that I am passing in the –Computers parameter all my Exchange Mailbox servers by using $(Get-MailboxServer) to check all my Exchange servers => in order for this to work, you must execute the script from an Exchange Management Shell-enabled PowerShell session – otherwise, you can specify a list of computers ( -Computers EX01,EX02) or get a list of computer from a file ( -Computer $(Get-Content C:\temp\MyServers.txt) )

First, I will get the confirmation of the options of the script and I am asked to validate to continue:

Then it will run and show me what it’s doing:

Note that it searches on all computers I specified, displays warnings and errors (30 last events for each machine, as I specified in the script's –NumberOfLastEventsToGet parameter) from the 2 servers I have in my environment…

Also Note the summary of all the events found globally at the end of the script.

And finally note how quick it is to search and dump our events ! About half a second !

And as it finishes, it opens me the file in a NOTEPAD because I specified the –ExportToFile switch on the script launch:

You can also open the file (or copy/paste the Notepad content) with Excel for filtering, analyzing, correlating, reporting, etc…

 

Here are the switches you can use:

  -Computers < Object> 

=> where <Object> default = local computer, you can specify list of computers, strings separated by commas like -Computers “Server1”, “Server2”,”Server3” or get the computers from a list like -Computers $(Get-Content C:\temp\myservers.txt) or get the computers from a variable that contains a list of Exchange servers, etc…

I tried the below on my Exchange 2013 environment :

 .\Get-EventsFrom.ps1  -Computers $(Get-MailboxServer)  -EventIDToCheck 2142 -EventLogName Application -ExportToFile

And it got my last 30 events with Event ID 2142 from all my Exchange servers of my environment !

  -EventLogName < Object> 

=> where <Object> default = Application and System logs, you can specify the Application LOG only ( -EventLogName Application) or specify several event log types separated by commas ( -EventLogName Application,  System, Security

There is a defined set of Event Log Names that you can use, you can cycle through the valid values for this parameter by hitting <TAB>  after you specify the –EventLogName parameter, and event hitting <TAB> for multiple values will cycle through each possible Event Log Name value. I love that PowerShell parameter validation functionality ! <3

  -EventLevel <Level> 

Level must be Information, Warning, Error, and/or Critical. You can specify multiple events type, by separating with commas, like:

 .\Get-EventsFromEventLogs -EventLevel Warning,Error -ComputerName Computer01,Computer02

If you don't specify anything, all event types will be gathered (by default the first 30 events from each computer)

-EventSource <String>

This can be any source which Event you wish to dump. Example if you are looking for potential warnings and/or errors in Outlook from the local workstation you would use the below :

 .\Get-EventsFromEventLogs -EventLevel Warning,Error -EventSource Outlook

 

  -EventID < Object> 

=> where <Object> default = “All” , if you don’t specify it, the script will search for all Event IDs, and if you want you can specify a list of IDs to search for or to check : just enter each Event ID separated by commas (like -EventID 1220,2020,605)

  -EventSource <Object> 

=> where <Object> default = “All” , if you don't specify this parameter, the script will search for all Event Sources, and you can also specify a source name like -EventSource Outlook (no need for the quotes) or several source names like -EventSource Outlook, Disk  

  -EventLevel <Object> 

=> where <Object> default = “All” , if you don't specify this parameter, the script will search all Levels (Info, Warning, Errors, Critical, …)

You can specify an event level like -EventLevel Error or several levels like -EventLevel Warning, Error  

There is a defined set of event level you can use, you can cycle through the valid values for this parameter by hitting “TAB” after you specify the –EventLevel parameter.

Possible values are: "All" (default),"Information","Warning","Error","Critical", "Verbose"…

    -NumberOfLastEventsToGet <Int32>   

=> where <Int32> default = 30, and this will dump the 30 or less (if the event log has less, it will dump all of these)

  -ExportToFile [<SwitchParameter>] 

=> if you don’t specify -ExportToFile the script will just dump the events into screen. If you specify it, it will dump the event into a CSV file for easy parsing in Excel !

To check the full help of the script, type

 get-help .\Get-EventsFromEventLogs.ps1 -Full

To check the examples only type:

 get-help .\Get-EventsFromEventLogs.ps1 -Examples

Click here to get to the Download Link on TechNet Gallery

 

Here is the dump of the Examples:

 

 NAME
 C:\Users\SammyKrosoft\documents\Github\Powershell\Get-EventsFromEventLog\Get-EventsFromEventLogs.ps1
 
SYNOPSIS
 Searches and Get specific events from any computer, local or remote, or from a computer list.
 
 
 -------------------------- EXAMPLE 1 --------------------------
 
 PS C:\>.\Get-EventsFromEventLogs.ps1
 
 Launching the script without options will :
 - Ask you which event(s) you wish to search for (separated by commas if you want multiple event IDs to search)
 - Search the local computer
 - Search the Application and System logs
 - Get 30 events of the type specified
 
  
 
 -------------------------- EXAMPLE 2 --------------------------
 
 PS C:\>.\Get-EventsFromEventLogs.ps1 -Computers MyServers -EventLevel Error
 
 This will collect the Error events (the last 30 errors by default) from the computer named MyServers. 
 It won't store it into a file as we didn't call the "-ExportToFile" parameter, just dump into the screen
 to have an idea if your server is okay or if it's full of errors
 
  
 
 -------------------------- EXAMPLE 3 --------------------------
 
 PS C:\>.\Get-EventsFromEventLogs.ps1 -Computers SRV-EX-01,SRV-EX-02,SRV-EX-03 -EventLevel Error -ExportToFile
 
 This will collect the Warning, Error, Critical events on computers SRV-EX-01, 02 and 03. The results
 will be dumped into a file labelled GetEventsFromEventLogs-Date-time.csv as we specified the
 ExportToFile parameter.
 Note that the computers list can come from a txt file as well (see next example)
 
  
 
 -------------------------- EXAMPLE 4 --------------------------
 
 PS C:\>.\Get-EventsFromEventsLogs.ps1 -Computers $(Get-Content .\ServersList.txt) -EventLevel Error,Critical -ExportToFile
 
 This will collect Error and Critical events on computers list defined in the "ServersList.txt" file on the current 
 directory from where you launched the script (.\ refers to the current user directory, NOT the directory where the
 script is) and store it into a file.
  
 
 
 -------------------------- EXAMPLE 5 --------------------------
 
 PS C:\>.\Get-EventsFromEventLogs.ps1 -NumberOfLastEventsToGet 10 -EventID 916,105 -ExportToFile
 
 - Search for the 10 last events (-NumberOfLastEventsToGet 10) 
 - Search for event IDs 916 and 105
 - As no Event Log name (Application, System, Security, etc...) were specified, 
 the script will look inside the Application AND System logs by default.
 - We asked the script to look for Event IDs 916 and 105 (-EventID 916, 105)
 
 The exported file will be named GetEventsFromEventLogs_916-105_2018-04-13-10-01-55.csv
 as I ran the script on 13th April 2018 at 10h01 and 55 seconds in the morning.
  
 
 
 -------------------------- EXAMPLE 6 --------------------------
 
 PS C:\>.\Get-EventsFromEventLogs.ps1 -NumberOfLastEventsToGet 30 -EventID 26 -EventLogName Application
 
 - Search for the last 30 events (-NumberOfLastEventsToGet 30)
 - Search for Event ID 26 only
 - Search in the Application Log only
 - We don't output any file, just print the results on the screen
 
  
 
 -------------------------- EXAMPLE 7 --------------------------
 
 PS C:\>.\Get-EventsFromEventLogs.ps1 -EventSource "Outlook"
 
 - Search all events generated by the "Outlook" application (all Event IDs, all Level (Info, Warning, etc...))
 - Search in Application and System (because I didn't specify which event log)
 - Search the last 30 events of type "Outlook" - if there are less, it will just print less
 - We don't output any file because I didn't specify the -ExportToFile parameter
 
 MachineName LogName TimeCreated LevelDisplayName Id Message
 ----------- ------- ----------- ---------------- -- -------
 12345678901 Application 4/13/2018 11:57:06 AM Information 63 La demande de service web Exchange GetAppManifestssuccède à.</0w>
 12345678901 Application 4/13/2018 7:57:00 AM Information 63 La demande de service web Exchange GetAppManifestssuccède à.</0w>
 12345678901 Application 4/13/2018 7:56:59 AM Information 63 Outlook a détecté une notification de modification pour vos applications et va t...
 12345678901 Application 4/13/2018 7:56:55 AM Information 45 Outlook a chargé le(s) complément(s) suivant(s) :...
  
 
 
 -------------------------- EXAMPLE 8 --------------------------
 
 PS C:\>.\Get-EventsFromEventLogs.ps1 -EventSource "disk","Outlook" -EventLevel Warning -NumberOfLastEventsToGet 1000
 
 - Search all events which source are "Disk" and "Outlook"
 - Search only "Warning" events of the above defined sources
 - All Event IDs of these (because I didn't specify any ID to filter)
 - Get the 1000 last events of the above criteria
 - didn't specify the -ExportToFile so will just display to screen
  
 
 
 -------------------------- EXAMPLE 9 --------------------------
 
 PS C:\>.\Get-EventsFromEventLogs.ps1 -EventSource "disk" -NumberOfLastEventsToGet 1000 -EventLevel Critical,Warning,Error -ExportToFile
 
 - Search all events about the "disk"
 - Search only Critical, Warning and Error events
 - Search the 1000 last events about the above criteria
 - Export into a file (like GetEventsFromEventLogs_None_2018-04-14-04-34-27.csv)

 

 

Download link (same as above)

Try it and let me know your thoughts !

Cheers

Sam

Comments

  • Anonymous
    March 27, 2019
    Fantastic PowerShell script! Feature request, add in a parameter to pull the last x number of hours or days that match the parameters instead of a count of events.