PowerShell Event Log Collection

Author by Mitchell Grande

Recently while troubleshooting an issue, it was necessary to search for specific event IDs on 6 different servers.  We knew there was a sporadic issue on all of these different servers, but we didn't know if it was happening simultaneously on them or if the timings were scattered.  Although we could have manually logged into each server, exported the event logs, and then searched them in Excel, it was quick and easy to use PowerShell to do the data collection.
 
The PowerShell Script
Here is the PowerShell script used to run the event log collection.  The green lines are comments explaining each step.
 
#The list of servers to get events from
$servers = "MYSERVER1", "MYSERVER2"
 
#Define the search parameters
#We are searching for event ID 12 in the System log
$searchFields = @{
    "LogName" = "System"
    "ID" = 12
}
 
#Create an empty object to store the combined list of events
$allEvents = @()
 
#Loop through the server list
foreach($server in $servers) {
    #Run the Get-WinEvent using the search parameters against the remote server
    #Add the results to the allEvents object
    $allEvents += Get-WinEvent -FilterHashtable $searchFields -ComputerName $server
}
 
#Export the allEvents object to a CSV file named "event-list.csv"
$allEvents | Export-Csv -Path "C:\temp\event-list.csv"

 
The Result
The result of this script is a CSV file that can be opened in Excel:
8.jpg
 
In the support case we worked on, we were able to easily see that the events were happening on multiple servers at the same time.  That narrowed the issue down and allowed us to target the root cause immediately.
 
In all, writing and running the PowerShell script took just a few minutes.  In contrast, doing the same manually would have easily taken 20 minutes or more.  This was a clear case where using PowerShell saved time and got us accurate results almost immediately.
 
Use It!
The script above is written so that you can use it while troubleshooting issues on your own.  Simply replace the log name and event ID with the correct information and fill in the server list in the second line.  As with any script, you should run it in a test environment to get comfortable with it.
 
The next time you need to modify or collect data from more than a couple of servers, consider using PowerShell to do the heavy lifting.  A well-written script will ensure changes are done accurately and data is collected quickly.  If you need any assistance in writing a script, you can contact Concurrency Premier Support at support@concurrency.com.
Author

Mitchell Grande

Systems Engineer

Tags in this Article