<< A B C D E F G H I J K L M N O P Q R S T U V W X Y Z






eventID, find specific

Get-EventLog -Log "Application" -After (Get-Date -Date '7/28/2018') | where {($_.eventID -eq 1000) -or ($_.eventID -eq 1026 -or ($_.eventID -eq 1325))}








log types, see list of all the different

Get-WinEvent -ListLog *

or perhaps all the different available logs that actually have something potentially useful in them

Get-WinEvent -ListLog * | ? {$_.RecordCount -gt 0} | sort RecordCount -Descending




OS update fails

$query = @"
  <Query Id="0" Path="System">
    <Select Path="System">*[System[Provider
        and (Level=2) and Task = 1
        and (band(Keywords,8200))]]</Select>
Foreach($event in $systemEvents)

The "level=2" specifies failure.

This is a simplified version of what I couldn't get to work here




Security log failures

This finds all audit failures.  I cap it at the most recent 2000 so it won’t take forever. In order to get more detail on “Replacement Strings”, concatenate them (separating with “;”). If you don’t, the hash elements won’t show up in the .csv file properly

Get-Eventlog -LogName security -Newest 2000 | where {($_.EntryType -eq 'FailureAudit') } | Select-Object index, TimeGenerated, InstanceID, message, @{L='ReplacementStrings'; E = { $_.ReplacementStrings -join ";"}} | Export-Csv C:\Users\user\Documents\SecurityLogAuditFailures.csv

This doesn’t filter for any EventIDs (“InstanceID”).  This might return a whole bunch of EventID 5157 (DNS). To focus on some other EventIDs:

Get-Eventlog -LogName security -Newest 200000 | where {($_.EntryType -eq 'FailureAudit') -and (($_.InstanceID -eq 4625) -or ($_.InstanceID -eq 4656))} | Select-Object index, TimeGenerated, message, @{L='GUID'; E={$_.ReplacementStrings[0]}}, @{L='name'; E={$_.ReplacementStrings[1]}}, @{L='domain'; E={$_.ReplacementStrings[2]}}, @{L='someHexValue'; E={$_.ReplacementStrings[3]}}, @{L='someOtherGUID'; E={$_.ReplacementStrings[4]}} | Export-Csv C:\Users\user\Documents\SecurityLogAuditFailures2.csv