{"id":5107,"date":"2016-06-17T10:07:17","date_gmt":"2016-06-17T14:07:17","guid":{"rendered":"http:\/\/jdhitsolutions.com\/blog\/?p=5107"},"modified":"2016-06-17T10:07:17","modified_gmt":"2016-06-17T14:07:17","slug":"the-cim-ple-way-with-powershell-and-event-logs","status":"publish","type":"post","link":"https:\/\/jdhitsolutions.com\/blog\/powershell\/5107\/the-cim-ple-way-with-powershell-and-event-logs\/","title":{"rendered":"The CIM-ple way with PowerShell and Event Logs"},"content":{"rendered":"

I'm always on the lookout for new ways to do things. Often I'm trying to find a way to create something that is easy to use without requiring a lot of PowerShell scripting.\u00a0 I also like using the final result as teaching aids so even if you don't need the end product, I hope you'll pick up a trick or two that you can use in your own scripting projects. The task I had in mind today is a better way to get event log information. Not the events themselves, but rather the event log file. How many entries are in it? How big is it? How much of the configured log is being used? Here's what I came up with.<\/p>\n

<\/p>\n

We have always had the Get-Eventlog<\/a> cmdlet which will provide some of this information using the -List parameter.<\/p>\n

\"Listing<\/a><\/p>\n

There is a bit more to each object and you could use a PowerShell expression with Select-Object<\/a> to get the desired result. You could also write a function to simplify the process. But if you have to go that route, I say find a way to use CIM or PowerShell remoting. So much of remote access in PowerShell is done over legacy protocols and I believe we should strive to do more over WsMan. Because the event log files are exposed via WMI through the Win32_NTEventLogFile, we can use Get-CimInstance<\/a> to retrieve them.<\/p>\n

\"Listing<\/a><\/p>\n

Yes, the output is different. But by looking at the properties I can create a function to make it easier to query and write a custom object to the pipeline with more relevant information.<\/p>\n

\"Using<\/a><\/p>\n

In my testing this is also much faster than using Get-Eventlog.\u00a0 Want to know how I did this and how it works? Grab a copy of the script file from GitHub.<\/p>\n