/\/\o\/\/ PowerShelled

---

PowerShell : Access remote eventlogs

Jeffery Hicks did a 2 part series on his blog about accessing evenlogs in PowerShell

 PowerShell Event Log Filtering ,

Remote Event Log Filtering 

in the second part he did use WMI to acces remote eventlogs, I posted an example in the comments using .NET for it.

PoSH>$logs = [System.Diagnostics.EventLog]::GetEventLogs('Server')
PoSH>$logs[0]
Max(K) Retain OverflowAction Entries Name
------ ------ -------------- ------- ----
20,480 7 OverwriteOlder 829 Application
PoSH>$logs[0].machinename
Server
PoSH>$logs[0].entries | where `
>>  {($_.EntryType -eq "Warning" -OR $_.EntryType -eq "Error") `
>> -AND ($_.TimeWritten -ge $recent)}

As an reaction to Remote Event Log Filtering in my comment  Here  where I did the example in the first part PowerShell Event Log Filtering again but then using the .NET object directly, he posted about powershell users not (yet) knowing the .net objects  :

but a good thing about this they allready did learn about then using the CMDlet get-eventlog, as this is merely a wrapper for the .NET objects, as the examples below will show, the output and objects will be the same, only in this case you can use it agains remote computers, also you as you can see in the last example you can even "Switch" to a remote computer using only the PowerShell get-EventLog -list command, so you can see that you actualy did allready learn how to use it in the first part of Jeffery Hicks 's series only you might not know it yet ;-).

Get-EventLog -list is actualy the same as System.Diagnostics.EventLog]::GetEventLogs() :

PoSH>Get-EventLog -list

Max(K) Retain OverflowAction Entries Name
------ ------ -------------- ------- ----
20,480 7 OverwriteOlder 829 Application
...

PoSH>[System.Diagnostics.EventLog]::GetEventLogs()

Max(K) Retain OverflowAction Entries Name
------ ------ -------------- ------- ----
20,480 7 OverwriteOlder 829 Application

...

As you can find out like this

[System.Diagnostics.EventLog] | gm -s | fl *

in the output from that you will find that the latter method takes also a machinename parameter :

...

TypeName : System.Diagnostics.EventLog
Name : GetEventLogs
MemberType : Method
Definition : static System.Diagnostics.EventLog[] GetEventLogs(), static System.Diagnostics.EventLog[] GetEventLogs(Str
ing machineName)

...

Also $al = get-eventlog Application is almost the same as $al = new-object System.Diagnostics.EventLog('Application')

only here  you can see that here also the result is alsmost the same, only the latter method it not completely the same, as get-eventlog CMDlets allready calls the entries() method

PoSH>$al = get-eventlog Application
PoSH>$al

Index Time Type Source EventID Message
----- ---- ---- ------ ------- -------

PoSH>$al = new-object System.Diagnostics.EventLog('Application')

PoSH>$al

Max(K) Retain OverflowAction Entries Name
------ ------ -------------- ------- ----
20,480 7 OverwriteOlder 829 Application

PoSH>$al.Entries

Index Time Type Source EventID Message
----- ---- ---- ------ ------- -------

# Remote

PoSH>new-object System.Diagnostics.EventLog('Application','foo')

Max(K) Retain OverflowAction Entries Name
------ ------ -------------- ------- ----

 

As again this method has more overloads :

PoSH>[System.Diagnostics.EventLog].GetConstructors() |% {"$_"}
Void .ctor()
Void .ctor(System.String)
Void .ctor(System.String, System.String)
Void .ctor(System.String, System.String, System.String)

in this case (no Enums all strings ) that is not that helpfull but we have help here, same as in the example in yesterdays post about the VbScript to PowerShell converting guide online, me (and Others) did this before for MSDN

/\/\o\/\/ PowerShelled: MSH Get-MSDN Function

PoSH>Function Get-MSDN ($type = "default") {
>> (new-object -com shell.application).Open("http://msdn2.microsoft.com/library/$type.aspx")
>> }
>>
PoSH>Get-MSDN System.Diagnostics.EventLog

So again after connecting using the .NET object for the rest it is also the same and you can still use the eventlog methods as with the indexing into the getEventlogs() method in the first example $logs[0] this can even be handy

PoSH>$al = new-object System.Diagnostics.EventLog('Application')
PoSH>$al | Get-Member -membertype Method

TypeName: System.Diagnostics.EventLog

Name MemberType Definition
---- ---------- ----------

PoSH>$al.WriteEvent

MemberType : Method
OverloadDefinitions : {System.Void WriteEvent(EventInstance instance, Params Object[] values), System.Void WriteEvent(E
ventInstance instance, Byte[] data, Params Object[] values)}
TypeNameOfValue : System.Management.Automation.PSMethod
Value : System.Void WriteEvent(EventInstance instance, Params Object[] values), System.Void WriteEvent(Ev
entInstance instance, Byte[] data, Params Object[] values)
Name : WriteEvent
IsInstance : True

Even a more nice example for this is the following example we use the get-eventlog -list command to get the eventlogs and then switch to another machine by changeing the machinename property as that is get / set

So it is not even needed to use the .NET Object to work agains remote computers :

PoSH>$logs = Get-EventLog -list
PoSH>$logs[0]

Max(K) Retain OverflowAction Entries Name
------ ------ -------------- ------- ----
20,480 7 OverwriteOlder 829 Application

PoSH>$logs[0].machinename = "foo"
PoSH>$logs[0]

Max(K) Retain OverflowAction Entries Name
------ ------ -------------- ------- ----
Application

So while you use get-member and use the Cmdlets in the background you also learn to know the .NET object,

so this is a good glidepath to using the .net classes when you are in need for the extra power they can give you (e.g. remoting, other functionality and /or Speed), I hope this post will also help by showing it is not that different from using the CMDlets as you get back the same .NET objects.

I think this is a good middle way ;-)

Enjoy,

Greetings,/\/\o\/\/
Tags : PowerShell