knowledge base

Eventlog mit Powershell auslesen

Eventlog to csv
Get-EventLog -LogName Security -ErrorAction SilentlyContinue | Select TimeWritten, @{name='ReplacementStrings';Expression={ $_.ReplacementStrings -join ';'}} | where {$_.ReplacementStrings -notmatch '^S-1-5'} | Export-Csv output.csv
  • Show the newest 30 Events
  • Get-EventLog -LogName System -Newest 30 | Where-Object { $_.EventID -eq 7036 } | Out-File -FilePath c:\temp\report.txt Get-eventlog system -newest 30 ¦ where-object {$_.eventid =eq 7036} Export-OSCEvent -Path "C:\Eventlog.csv" -EventID 4634,4624 -SmtpServer "Ex01" -Subject "Eventlog daily check" -From "" –To "","
  • Export a certain eventlog with specified log name and event ID for last 24 hours.
  • Get-WinEvent -LogName $LogName -MaxEvents 1000 -EA SilentlyContinue | Where-Object {$ -in $EventID -and $_.Timecreated -gt (Get-date).AddHours(-24)} | Sort TimeCreated -Descending | Export-Csv $Path -NoTypeInformation
  • Show a filtered Event
  • Get-WinEvent -FilterHashtable @{Path="C:\fso\SavedAppLog.evtx";ProviderName="outlook"}
  • Export a certain eventlog
  • Invoke-Command {get-eventlog -LogName System} -ComputerName win8 | Export-Csv C:\Names.csv Invoke-Command remotemachine {Enable-WSMANCredSSP -role Server} Invoke-Command -ComputerName Win8 -ScriptBlock {Get-EventLog -List | Export-Csv \\AD\Share \Test.csv} -Authentication CredSSP -Credential (Get-Credential) New-PSDrive -Name W -PSProvider FileSystem -Root \\machine\share --------------------------------------------------------------------------------------------------- net use W: \\AD\Share Invoke-Command -ComputerName Win8 -ScriptBlock {net use W: \\AD\Share} -Credentials Get-Credentials Invoke-Command -ComputerName Win8 -ScriptBlock {Get-EventLog -List | Export-Csv W:\Test.csv} -Credentials Get-Credentials