{"id":8386,"date":"2021-05-07T15:00:13","date_gmt":"2021-05-07T19:00:13","guid":{"rendered":"https:\/\/jdhitsolutions.com\/blog\/?p=8386"},"modified":"2021-05-07T15:00:17","modified_gmt":"2021-05-07T19:00:17","slug":"powershell-event-log-mining","status":"publish","type":"post","link":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/","title":{"rendered":"PowerShell Event Log Mining"},"content":{"rendered":"\n
\"\"<\/a><\/figure><\/div>\n\n\n\n

The other day someone who is learning PowerShell reached out to me with a problem. He couldn't understand why the relatively simple PowerShell expression to pull information from the System event log wasn't working. He wasn't seeing errors, but he also wasn't seeing the events he was expecting. Searching event logs with PowerShell is a common task. But as you'll see, you may need to update your approach to mining event logs with PowerShell. Things change in the PowerShell world, and sometimes in subtle ways that you may not notice. Although to be fair, some of these changes my arise from new versions of the .NET Framework and\/or Windows 10. Here's what we encountered.<\/p>\n\n\n\n

Get-EventLog<\/h2>\n\n\n\n

From the very beginning we've used Get-EventLog to search classic event logs like System and Application. And that's what my student was doing as well in Windows PowerShell. He was searching the System event log for event id 1074 which indicates a computer restart. He was using code like this:<\/p>\n\n\n\n

Get-EventLog\u00a0-log\u00a0system\u00a0-newest\u00a01000\u00a0|\nWhere-Object\u00a0{$_.eventid\u00a0-eq\u00a0'1074'}\u00a0\u00a0|\nFormat-Table\u00a0machinename,\u00a0username,\u00a0timegenerated\u00a0-autosize<\/code><\/pre>\n\n\n\n
There's technically nothing wrong with this. I ran it and got 3 results. Then I double-checked the help to make sure I wasn't forgetting anything. That's when I saw the note indicating that Get-EventLog uses a deprecated Win32API. The note goes on to say that results may not be accurate. And since I know I've restarted my computer more than 3 times, this warning was right on. I occasionally still fire up a Get-EventLog command because the muscle memory is so strong. But now I know I really need to break this habit.<\/p>\n\n\n\n
I knew that Get-EventLog isn't in PowerShell 7 and that you have to use Get-WinEvent. So I suggested going down that route.<\/p>\n\n\n\n
Get-WinEvent<\/h2>\n\n\n\n
I'll be the first to admit that Get-WinEvent is a bit more complicated to learn, but it is also much more efficient. Here's an equivalent approach:<\/p>\n\n\n\n
Get-WinEvent\u00a0-filterhash\u00a0@{Logname\u00a0=\u00a0'system';ID=1074}\u00a0-MaxEvents\u00a01000\u00a0|\nFormat-Table\u00a0Machinename,UserID,TimeCreated<\/code><\/pre>\n\n\n\n
When I run this I get 97 events which is considerably more accurate. The output from Get-WinEvent is different than Get-EventLog so you need to adjust property names. But filtering is much faster and easier. Now I can filter for the event ID early and not rely on Where-Object.<\/p>\n\n\n\n
One critical difference for this particular task, is that we want to display the username. But Get-WinEvent reports a SID.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Fortunately, that property includes a method to translate the SID. Here's my revised code.<\/p>\n\n\n\n
Get-WinEvent\u00a0-filterhash\u00a0@{Logname\u00a0=\u00a0'system';ID=1074}\u00a0-MaxEvents\u00a01000\u00a0|\nSelect-Object\u00a0@{Name=\"Computername\";Expression\u00a0=\u00a0{$_.machinename}},\n@{Name=\"UserName\";Expression\u00a0=\u00a0{$_.UserId.translate([System.Security.Principal.NTAccount]).value}},\u00a0TimeCreated<\/code><\/pre>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
The Translate() method may not always resolve the SID based. For example, I have credentials to query another laptop from my desktop, but I can't translate the SID other than the generic SYSTEM account. Fortunately, the replacement strings used in the event log record are stored under a \"Properties\" property.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
The last item in this array is the user account. There's also some other useful information such as the type of restart event. With this in mind, I'll revise my code so that I can query remote machines.<\/p>\n\n\n\n
Get-WinEvent\u00a0-computer\u00a0thinkp1\u00a0-filterhash\u00a0@{Logname\u00a0=\u00a0'system';ID=1074}\u00a0-MaxEvents\u00a01000\u00a0|\nSelect-Object\u00a0@{Name=\"Computername\";Expression\u00a0=\u00a0{$_.machinename}},\n@{Name=\"UserName\";Expression\u00a0=\u00a0{\u00a0($_.properties[-1]).value}},\u00a0TimeCreated,\n@{Name=\"Category\";Expression\u00a0=\u00a0{$_.properties[4].value}}<\/code><\/pre>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Much better.<\/p>\n\n\n\n
Function Time<\/h2>\n\n\n\n
More than likely, the original code was something that would be run periodically.  So instead of always having to type the code, creating a PowerShell function around it is the smart move. I already have Get-Winevent expression that works so that will be the center of my function. I always stress the importance of getting your core code to work at a console prompt first. Then build the function around it.<\/p>\n\n\n\n
Because you want functions to be flexible, I thought a bit about what parameters I might need. Even though the original code was searching the local computer's event log, it isn't a stretch to imagine wanting to search a remote computer and Get-WinEvent supports that. As well as alternate credentials. I decided to keep the MaxEvents parameter. But I also imagined situations where I wanted to find restart events after a certain date.<\/p>\n\n\n\n
Param(\n\u00a0\u00a0\u00a0\u00a0[Parameter(Position\u00a0=\u00a00,\u00a0ValueFromPipeline)]\n\u00a0\u00a0\u00a0\u00a0[ValidateNotNullOrEmpty()]\n\u00a0\u00a0\u00a0\u00a0[Alias(\"CN\")]\n\u00a0\u00a0\u00a0\u00a0[string]$Computername\u00a0=\u00a0$env:COMPUTERNAME,\n\u00a0\u00a0\u00a0\u00a0[Parameter(HelpMessage\u00a0=\u00a0\"Find\u00a0restart\u00a0events\u00a0since\u00a0this\u00a0date\u00a0and\u00a0time.\")]\n\u00a0\u00a0\u00a0\u00a0[ValidateNotNullOrEmpty()]\n\u00a0\u00a0\u00a0\u00a0[Alias(\"Since\")]\n\u00a0\u00a0\u00a0\u00a0[datetime]$After,\n\u00a0\u00a0\u00a0\u00a0[int64]$MaxEvents,\n\u00a0\u00a0\u00a0\u00a0[PSCredential]$Credential\n)<\/code><\/pre>\n\n\n\n
You'll notice I kept the same parameter names. There's no reason to reinvent the wheel. Although I added a few parameter aliases. My Get-WinEvent command is going to use a filtering hashtable, so I'll build that on the fly.<\/p>\n\n\n\n
$filter\u00a0=\u00a0@{\n\u00a0\u00a0\u00a0\u00a0Logname\u00a0=\u00a0\"System\"\n\u00a0\u00a0\u00a0\u00a0ID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0=\u00a01074\n}\nif\u00a0($After)\u00a0{\n\u00a0\u00a0\u00a0\u00a0Write-Verbose\u00a0\"[$((Get-Date).TimeofDay)\u00a0BEGIN\u00a0\u00a0]\u00a0Getting\u00a0restart\u00a0events\u00a0after\u00a0$After\"\n\u00a0\u00a0\u00a0\u00a0$filter.Add(\"StartTime\",\u00a0$After)\n}<\/code><\/pre>\n\n\n\n
The next step is to define a hashtable of Get-WinEvent parameter that I can splat. Splatting isn't always required or necessary but in this case it keeps my code simple.<\/p>\n\n\n\n
$entries\u00a0=\u00a0Get-WinEvent\u00a0@splat<\/code><\/pre>\n\n\n\n
Objects, Objects, Objects<\/h2>\n\n\n\n
You always want your functions to write objects to the pipeline. I could have used the native output from Get-WinEvent, but the original command only wanted a few properties so I'll do the same. I like creating custom objects like this:<\/p>\n\n\n\n
foreach\u00a0($entry\u00a0in\u00a0$entries)\u00a0{\n\u00a0\u00a0\u00a0\u00a0#resolve\u00a0the\u00a0user\u00a0SID\n\u00a0\u00a0\u00a0\u00a0Try\u00a0{\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Write-Verbose\u00a0\"[$((Get-Date).TimeofDay)\u00a0PROCESS]\u00a0Translating\u00a0$($entry.UserId)\"\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$user\u00a0=\u00a0$entry.UserId.translate([System.Security.Principal.NTAccount]).value\n\u00a0\u00a0\u00a0\u00a0}\n\u00a0\u00a0\u00a0\u00a0Catch\u00a0{\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$user\u00a0=\u00a0$entry.properties[-1].value\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0#$entry.userid\n\u00a0\u00a0\u00a0\u00a0}\n\n\u00a0\u00a0\u00a0\u00a0[pscustomobject]@{\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0PSTypeName\u00a0\u00a0\u00a0=\u00a0\"RestartEvent\"\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Computername\u00a0=\u00a0$entry.machinename.ToUpper()\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Datetime\u00a0\u00a0\u00a0\u00a0\u00a0=\u00a0$entry.TimeCreated\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Username\u00a0\u00a0\u00a0\u00a0\u00a0=\u00a0$user\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Category\u00a0\u00a0\u00a0\u00a0\u00a0=\u00a0$entry.properties[4].value\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Process\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0=\u00a0$entry.properties[0].value.split()[0].trim()\n\u00a0\u00a0\u00a0\u00a0}\n}\u00a0#foreach\u00a0item<\/code><\/pre>\n\n\n\n
My function is using both techniques to resolve the user SID for the sake of education.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Polishing PowerShell<\/h2>\n\n\n\n
What I have to this point is useful. I've changed to using Get-WinEvent to search event logs and I've built a simple, reusable tool around it that I can use at a PowerShell prompt. But how about putting a high polish on this function? For example, even though the default output shows as a list, I know a table view would be easier to read. And how about a way to make different categories jump out?<\/p>\n\n\n\n
You'll notice that my custom hashtable defines a typename. This is so that I can create a custom format ps1xml file using New-PSFormatXML<\/a>. In the .ps1 file that defines the function I'll also load the format file.<\/p>\n\n\n\n
Update-FormatData\u00a0$PSScriptRoot\\restartevent.format.ps1xml<\/code><\/pre>\n\n\n\n
In the format file, I'm going to group the output by computername. I'm also going to add some color coding using ANSI escape sequences.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
You can grab the complete function and format file from Github<\/a>. And even if you don't need the function, begin making the transition to using Get-WinEvent. It will be a little tricky at first, but it will be worth your time.<\/p>\n","protected":false},"excerpt":{"rendered":"
The other day someone who is learning PowerShell reached out to me with a problem. He couldn’t understand why the relatively simple PowerShell expression to pull information from the System event log wasn’t working. He wasn’t seeing errors, but he also wasn’t seeing the events he was expecting. Searching event logs with PowerShell is a…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"New on the blog: #PowerShell Event Log Mining","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[4,8],"tags":[224,136,263,534,540],"class_list":["post-8386","post","type-post","status-publish","format-standard","hentry","category-powershell","category-scripting","tag-function","tag-get-eventlog","tag-get-winevent","tag-powershell","tag-scripting"],"yoast_head":"\nPowerShell Event Log Mining • The Lonely Administrator<\/title>\n<meta name=\"description\" content=\"Is Get-Eventlog not cutting it in PowerShell? You should be using Get-WinEvent. Here's how to get the most out of it.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PowerShell Event Log Mining • The Lonely Administrator\" \/>\n<meta property=\"og:description\" content=\"Is Get-Eventlog not cutting it in PowerShell? You should be using Get-WinEvent. Here's how to get the most out of it.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/\" \/>\n<meta property=\"og:site_name\" content=\"The Lonely Administrator\" \/>\n<meta property=\"article:published_time\" content=\"2021-05-07T19:00:13+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-05-07T19:00:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/05\/pexels-weir-esco-3906748.jpg\" \/>\n<meta name=\"author\" content=\"Jeffery Hicks\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@JeffHicks\" \/>\n<meta name=\"twitter:site\" content=\"@JeffHicks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jeffery Hicks\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8386\\\/powershell-event-log-mining\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8386\\\/powershell-event-log-mining\\\/\"},\"author\":{\"name\":\"Jeffery Hicks\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/d0258030b41f07fd745f4078bdf5b6c9\"},\"headline\":\"PowerShell Event Log Mining\",\"datePublished\":\"2021-05-07T19:00:13+00:00\",\"dateModified\":\"2021-05-07T19:00:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8386\\\/powershell-event-log-mining\\\/\"},\"wordCount\":969,\"commentCount\":6,\"publisher\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/d0258030b41f07fd745f4078bdf5b6c9\"},\"image\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8386\\\/powershell-event-log-mining\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/05\\\/pexels-weir-esco-3906748.jpg\",\"keywords\":[\"Function\",\"Get-Eventlog\",\"Get-WinEvent\",\"PowerShell\",\"Scripting\"],\"articleSection\":[\"PowerShell\",\"Scripting\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8386\\\/powershell-event-log-mining\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8386\\\/powershell-event-log-mining\\\/\",\"url\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8386\\\/powershell-event-log-mining\\\/\",\"name\":\"PowerShell Event Log Mining • The Lonely Administrator\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8386\\\/powershell-event-log-mining\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8386\\\/powershell-event-log-mining\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/05\\\/pexels-weir-esco-3906748.jpg\",\"datePublished\":\"2021-05-07T19:00:13+00:00\",\"dateModified\":\"2021-05-07T19:00:17+00:00\",\"description\":\"Is Get-Eventlog not cutting it in PowerShell? You should be using Get-WinEvent. Here's how to get the most out of it.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8386\\\/powershell-event-log-mining\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8386\\\/powershell-event-log-mining\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8386\\\/powershell-event-log-mining\\\/#primaryimage\",\"url\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/05\\\/pexels-weir-esco-3906748.jpg\",\"contentUrl\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/05\\\/pexels-weir-esco-3906748.jpg\",\"width\":320,\"height\":213},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/8386\\\/powershell-event-log-mining\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"PowerShell\",\"item\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/category\\\/powershell\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"PowerShell Event Log Mining\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/\",\"name\":\"The Lonely Administrator\",\"description\":\"Practical Advice for the Automating IT Pro\",\"publisher\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/d0258030b41f07fd745f4078bdf5b6c9\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/d0258030b41f07fd745f4078bdf5b6c9\",\"name\":\"Jeffery Hicks\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg\",\"caption\":\"Jeffery Hicks\"},\"logo\":{\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"PowerShell Event Log Mining • The Lonely Administrator","description":"Is Get-Eventlog not cutting it in PowerShell? You should be using Get-WinEvent. Here's how to get the most out of it.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/","og_locale":"en_US","og_type":"article","og_title":"PowerShell Event Log Mining • The Lonely Administrator","og_description":"Is Get-Eventlog not cutting it in PowerShell? You should be using Get-WinEvent. Here's how to get the most out of it.","og_url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/","og_site_name":"The Lonely Administrator","article_published_time":"2021-05-07T19:00:13+00:00","article_modified_time":"2021-05-07T19:00:17+00:00","og_image":[{"url":"https:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/05\/pexels-weir-esco-3906748.jpg","type":"","width":"","height":""}],"author":"Jeffery Hicks","twitter_card":"summary_large_image","twitter_creator":"@JeffHicks","twitter_site":"@JeffHicks","twitter_misc":{"Written by":"Jeffery Hicks","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/#article","isPartOf":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/"},"author":{"name":"Jeffery Hicks","@id":"https:\/\/jdhitsolutions.com\/blog\/#\/schema\/person\/d0258030b41f07fd745f4078bdf5b6c9"},"headline":"PowerShell Event Log Mining","datePublished":"2021-05-07T19:00:13+00:00","dateModified":"2021-05-07T19:00:17+00:00","mainEntityOfPage":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/"},"wordCount":969,"commentCount":6,"publisher":{"@id":"https:\/\/jdhitsolutions.com\/blog\/#\/schema\/person\/d0258030b41f07fd745f4078bdf5b6c9"},"image":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/#primaryimage"},"thumbnailUrl":"https:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/05\/pexels-weir-esco-3906748.jpg","keywords":["Function","Get-Eventlog","Get-WinEvent","PowerShell","Scripting"],"articleSection":["PowerShell","Scripting"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/","url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/","name":"PowerShell Event Log Mining • The Lonely Administrator","isPartOf":{"@id":"https:\/\/jdhitsolutions.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/#primaryimage"},"image":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/#primaryimage"},"thumbnailUrl":"https:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/05\/pexels-weir-esco-3906748.jpg","datePublished":"2021-05-07T19:00:13+00:00","dateModified":"2021-05-07T19:00:17+00:00","description":"Is Get-Eventlog not cutting it in PowerShell? You should be using Get-WinEvent. Here's how to get the most out of it.","breadcrumb":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/#primaryimage","url":"https:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/05\/pexels-weir-esco-3906748.jpg","contentUrl":"https:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/05\/pexels-weir-esco-3906748.jpg","width":320,"height":213},{"@type":"BreadcrumbList","@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8386\/powershell-event-log-mining\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"PowerShell","item":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell\/"},{"@type":"ListItem","position":2,"name":"PowerShell Event Log Mining"}]},{"@type":"WebSite","@id":"https:\/\/jdhitsolutions.com\/blog\/#website","url":"https:\/\/jdhitsolutions.com\/blog\/","name":"The Lonely Administrator","description":"Practical Advice for the Automating IT Pro","publisher":{"@id":"https:\/\/jdhitsolutions.com\/blog\/#\/schema\/person\/d0258030b41f07fd745f4078bdf5b6c9"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jdhitsolutions.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/jdhitsolutions.com\/blog\/#\/schema\/person\/d0258030b41f07fd745f4078bdf5b6c9","name":"Jeffery Hicks","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg","url":"https:\/\/secure.gravatar.com\/avatar\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg","caption":"Jeffery Hicks"},"logo":{"@id":"https:\/\/secure.gravatar.com\/avatar\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg"}}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":18,"url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/18\/monad-and-event-logs\/","url_meta":{"origin":8386,"position":0},"title":"Monad and Event logs","author":"Jeffery Hicks","date":"February 6, 2006","format":false,"excerpt":"Here's another nifty Monad example from The Lazy Admin on using MSH to review Event logs.Managing the Event Logs with MSH - The Lazyadmin.com","rel":"","context":"In "PowerShell"","block_context":{"text":"PowerShell","link":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2206,"url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/2206\/powershell-scripting-with-validateset\/","url_meta":{"origin":8386,"position":1},"title":"PowerShell Scripting with [ValidateSet]","author":"Jeffery Hicks","date":"April 16, 2012","format":false,"excerpt":"Today we'll continue our exploration of the parameter validation attributes you can use in you PowerShell scripting. We've already looked at [ValidateRange] and [ValidateScript]. Another attribute you are likely to use is [ValidateSet()]. You can use this to verify that the parameter value belongs to a pre-defined set. To use,\u2026","rel":"","context":"In "PowerShell"","block_context":{"text":"PowerShell","link":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7193,"url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/7193\/better-event-logs-with-powershell\/","url_meta":{"origin":8386,"position":2},"title":"Better Event Logs with PowerShell","author":"Jeffery Hicks","date":"January 24, 2020","format":false,"excerpt":"Because I don't work in a corporate environment, I don't always see opportunities where PowerShell can make your life better as an IT professional. I have a friend -- let's call her Gladys Kravitz. Gladys and I were chatting and she mentioned how tricky it is to pull information out\u2026","rel":"","context":"In "PowerShell"","block_context":{"text":"PowerShell","link":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5107,"url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/5107\/the-cim-ple-way-with-powershell-and-event-logs\/","url_meta":{"origin":8386,"position":3},"title":"The CIM-ple way with PowerShell and Event Logs","author":"Jeffery Hicks","date":"June 17, 2016","format":false,"excerpt":"I'm always on the lookout for new ways to do things. Often I'm trying to find a way to create something that is easy to use without requiring a lot of PowerShell scripting.\u00a0 I also like using the final result as teaching aids so even if you don't need the\u2026","rel":"","context":"In "PowerShell"","block_context":{"text":"PowerShell","link":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell\/"},"img":{"alt_text":"Listing with Get-Eventlog","src":"https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2016\/06\/image_thumb-13.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2016\/06\/image_thumb-13.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2016\/06\/image_thumb-13.png?resize=525%2C300 1.5x"},"classes":[]},{"id":6142,"url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/6142\/join-me-for-a-2-day-powershell-scripting-workshop\/","url_meta":{"origin":8386,"position":4},"title":"Join Me for a 2 Day PowerShell Scripting Workshop","author":"Jeffery Hicks","date":"November 12, 2018","format":false,"excerpt":"I am very happy to announce a 2 day public PowerShell learning event. In association with the fine people behind the Techmentor conference, I will be presenting a 2 day PowerShell Scripting workshop in Dallas, TX on February 4-5, 2019. There is an option to attend virtually, but you'll really\u2026","rel":"","context":"In "PowerShell"","block_context":{"text":"PowerShell","link":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell\/"},"img":{"alt_text":"announcer-blue","src":"https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2018\/11\/announcer-blue_thumb.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":346,"url":"https:\/\/jdhitsolutions.com\/blog\/scripting\/346\/powershell-exit-stage-left\/","url_meta":{"origin":8386,"position":5},"title":"Powershell: Exit Stage Left","author":"Jeffery Hicks","date":"September 1, 2009","format":false,"excerpt":"While reviewing and revising the manuscript for Windows PowerShell v2.0: TFM 3rd ed. I had the opportunity to revisit our chapter on working with events in PowerShell. An event in Windows is when something happens like a mouse-click, a process being created or window resized. In PowerShell you can easily\u2026","rel":"","context":"In "CommandLine"","block_context":{"text":"CommandLine","link":"https:\/\/jdhitsolutions.com\/blog\/category\/commandline\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/posts\/8386","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/comments?post=8386"}],"version-history":[{"count":0,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/posts\/8386\/revisions"}],"wp:attachment":[{"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/media?parent=8386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/categories?post=8386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/tags?post=8386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}