How to filter event log more efficiently.

Many of the times, we might need to dig deep into the event log, which might not be easily available through default fields available. For example, below event contains much more information than it displays in the event log.

 

Log Name:      Microsoft-Windows-GroupPolicy/Operational

Source:        Microsoft-Windows-GroupPolicy

Date:          5/27/2013 2:08:57 PM

Event ID:      7004

Task Category: None

Level:         Error

Keywords:     

User:          SYSTEM

Computer:      PC1.fabrikam.com

Description:

Manual processing of policy failed for computer fabrikam\PC1$ in 243 seconds.

Event Xml:

<Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{fEAgB4h-97j1-45k2-A64C-4D69FFFD92C9}" />

    <EventID>7004</EventID>

    <Version>1</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>2</Opcode>

    <Keywords>0x4000000000000000</Keywords>

    <TimeCreated SystemTime="2013-05-27T02:08:57.106317800Z" />

    <EventRecordID>138644</EventRecordID>

    <Correlation ActivityID="{2B97A5FB-108B-4FtB-BCy8-A8uAE40C1E42}" />

    <Execution ProcessID="640" ThreadID="3040" />

    <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel>

    <Computer> PC1.fabrikam.com</Computer>

    <Security UserID="S-1-5-18" />

  </System>

  <EventData>

    <Data Name="PolicyElaspedTimeInSeconds">243</Data>

    <Data Name="ErrorCode">1053</Data>

    <Data Name="PrincipalSamName">FABRIKAM\PC1$</Data>

    <Data Name="IsMachine">1</Data>

    <Data Name="IsConnectivityFailure">false</Data>

  </EventData>

</Event>

A simple filter around critical/errors/warning on this provider would look like this:

 

PS C:\WINDOWS\system32> $query = @”

<QueryList>

  <Query Id="0" Path="Microsoft-Windows-GroupPolicy/Operational">

    <Select Path="Microsoft-Windows-GroupPolicy/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>

  </Query>

</QueryList>

“@

 

PS C:\WINDOWS\system32> Get-WinEvent -FilterXml $query

 

 

   ProviderName: Microsoft-Windows-GroupPolicy

 

TimeCreated                     Id LevelDisplayName Message

-----------                     -- ---------------- -------

5/27/2013 2:08:57 PM          7004 Error            Manual processing of policy failed for computer FABRIKAM\PC1$ in 243 seconds.

5/27/2013 1:18:28 PM          7004 Error            Manual processing of policy failed for computer FABRIKAM\PC1$ in 0 seconds.

5/27/2013 1:18:28 PM          7326 Error            Group Policy failed to discover the Domain Controller details in 0 milliseconds.

5/27/2013 12:27:03 PM         7004 Error            Manual processing of policy failed for computer FABRIKAM\PC1$ in 251 seconds.

5/27/2013 11:32:52 AM         7004 Error            Manual processing of policy failed for computer FABRIKAM\PC1$ in 0 seconds.

.

.

.

.

 

 

Let’s check the first event and try to see what it displays by default

 

PS C:\WINDOWS\system32> Get-WinEvent -FilterXml $query | select -First 1 | fl *

 

 

Message              : Manual processing of policy failed for computer fabrikam\pc1$ in 243 seconds.

Id                   : 7004

Version              : 1

Qualifiers           :

Level                : 2

Task                 : 0

Opcode               : 2

Keywords             : 4611686018427387904

RecordId             : 138644

ProviderName         : Microsoft-Windows-GroupPolicy

ProviderId           : aea1b4fa-97d1-45f2-a64c-4d69fffd92c9

LogName              : Microsoft-Windows-GroupPolicy/Operational

ProcessId            : 640

ThreadId             : 3040

MachineName          : pc1.fabrikam.com

UserId               : S-1-5-18

TimeCreated          : 5/27/2013 2:08:57 PM

ActivityId           : 2b97a5fb-108b-4fdb-bcc8-a85ae40c1e42

RelatedActivityId    :

ContainerLog         : Microsoft-Windows-GroupPolicy/Operational

MatchedQueryIds      : {}

Bookmark             : System.Diagnostics.Eventing.Reader.EventBookmark

LevelDisplayName     : Error

OpcodeDisplayName    : Stop

TaskDisplayName      :

KeywordsDisplayNames : {}

Properties           : {System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty,

                       System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty...}

  

Convert it to XML:

 

PS C:\WINDOWS\system32> [xml]$evt1 =(Get-WinEvent -FilterXml $query | select -First 1).toXML() # Cast it with [ xml ]

PS C:\WINDOWS\system32> $evt1

 

Event

-----

Event

 

 

PS C:\WINDOWS\system32> $evt1.Event.EventData

 

Data

----

{PolicyElaspedTimeInSeconds, ErrorCode, PrincipalSamName, IsMachine...}

 

PS C:\WINDOWS\system32> $evt1.Event.EventData.Data

 

Name                                                               #text

----                                                               -----

PolicyElaspedTimeInSeconds                                         241

ErrorCode                                                          1053

PrincipalSamName                                                   fabrikam\pc1$

IsMachine                                                          1

IsConnectivityFailure                                              false

 

PS C:\WINDOWS\system32> $evt1.Event.System

 

 

Provider      : Provider

EventID       : 7004

Version       : 1

Level         : 2

Task          : 0

Opcode        : 2

Keywords      : 0x4000000000000000

TimeCreated   : TimeCreated

EventRecordID : 138660

Correlation   : Correlation

Execution     : Execution

Channel       : Microsoft-Windows-GroupPolicy/Operational

Computer      : pc1.fabrikam.com

Security      : Security

 

Now, you can see we have control over EventData and System channel, as we could see in XML format of the Event. Let’s see if we want to filter out events only containing the error code 1053 and export them to a file, here is how it could look like:

 

 

PS C:\WINDOWS\system32> $file = New-Item -Name log1053.txt -Path c:\temp -Force -type file

PS C:\WINDOWS\system32> Get-WinEvent -FilterXml $query | %{

       $evt = [xml]$_.toxml(); # Cast here with [ xml ]

       if($evt.Event.EventData.Data | ?{$_.'#text' -eq 1053 -and $_.name -eq "errorcode"})

       {

$_ | fl * | Out-File $file -Append

}

 }

 

 

Hope this is helpful.