PowerShell Tip of the Week: Query multiple event ID’s remotely

Event ID's

In my daily work I often need to look for specific event ID’s on all computers. As my environmnet contains mostly server core machines I always use PowerShell script for checking that.

Multiple event ID’s

Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology. 

It also allows you to use filterhashtable with the following key names:

  • LogName
  • ProviderName
  • Path
  • Keywords
  • ID
  • Level
  • StartTime
  • EndTime
  • UserID
  • Data

You can specify event ID’s and run simple command locally or remotely.

$EventId = 4625,4740

#Locally
Get-WinEvent -FilterHashTable @{Logname = "ForwardedEvents" ; ID = $EventId}

#Remotely
Get-WinEvent -Computername ADFS01 -FilterHashTable @{Logname = "ForwardedEvents" ; ID = $EventId}

You can add few more parameters in filter like start and end time.

    $Filter = @{
           Logname = 'System'
           ID = 9,5719
           StartTime =  [datetime]::Today.AddDays(-1)
           EndTime = [datetime]::Today
    }
    Get-WinEvent -FilterHashtable $Filter

In this example I was looking for events 238, 246, 247, 305, 306, 353 in ADFS log from last 5 days. Results will be opened in new window as after the pipeline I used Out-GridView :

#Server list
$Servers = Get-Content "d:\scripts\servers.txt"

#Query remote machines
Invoke-Command $Servers {

    $Filter = @{
           ProviderName = 'AD FS'
           ID = 238,246,247,305,306,353
           StartTime =  [datetime]::Today.AddDays(-5)
           EndTime = [datetime]::Today
    }
    Get-WinEvent -FilterHashtable $Filter

} | Select-Object MachineName,TimeCreated,ID,Message | Out-GridView -Title "Results"  

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.