PowerShell Get-Eventlog Remote Computer

Src:  http://www.computerperformance.co.uk/powershell/powershell_eventlog_remote.htm#Troubleshooting_the_Remote_Get-Eventlog_Connection

 

Introduction to Scripting Eventlog on a Remote Computer

Remoting is the biggest single improvement to Windows PowerShell v 2.0.  Here on this page we will see how it's possible to apply the -ComputerName parameter to eventlog files, and thus view errors on a network computer.

PowerShell Eventlog Topics

•   Example 1:  PowerShell Eventlog on Local Computer
•   Example 2:  Get-Eventlog on Remote Computer
• Example 3:  PowerShell Get-Eventlog Remote EventID
• Troubleshooting the Remote Get-Eventlog Connection
• Summary of           Eventlog

  ♣

Example 1:  PowerShell Eventlog on Local Computer

My learning progression is to get a basic example working on the local machine and then adapt the script to interrogate a remote computer.

# PowerShell script to list the event logs on the local computer
Clear-Host
Get-Eventlog -List -ComputerName LocalHost

Example 2:  PowerShell Get-Eventlog on Remote Computer

Here is a modification of Example 1 which makes the script ready-to-run on a remote computer.

# PowerShell script to list the event logs on a remote computer
Clear-Host
$Machine = "OtherMachine"
Get-Eventlog -List -ComputerName $Machine

Note 1: Please change "OtherMachine" to a computer name on your network.

Note 2: Microsoft have added remoting capabilities to PowerShell v2.0, which you access via the -ComputerName parameter.

Troubleshooting Remoting:  If the script works on your local machine, but not the network computer, see how totroubleshoot.

Guy Recommends:  SolarWinds' Log & Event Management Tool

LEM will alert you to problems such as when a key application on a particular server is unavailable.  It can also detect when services have stopped, or if there is a network latency problem.  Perhaps this log and event management tool's most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.

Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA.  LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches - give LEM a whirl.

Download your FREE trial of SolarWinds Log & Event Management tool.

PowerShell's Get-Eventlog is tricky to operate.  What makes it easier is focussing on the parameters, especially -Logname and for remoting, -ComputerName.  Once you get the basics working there is a wealth of techniques and properties you can apply to this most versatile cmdlet.

Scenario:  You need to investigate a particular EventID. 
Important:  Amend my value of -lt '100' to -eq 'YourNumber'.  Do remember the speech marks.
Optional:  Change "LocalHost" to "YourNetworkMachine"

# PowerShell Remote EventLog example with specific EventID
Clear-Host
$Machine = "LocalHost"
Get-Eventlog -Logname System -ComputerName $Machine -newest 1000 |
Where-Object {$_.EventID -lt '100'} |
Format-Table MachineName, Source, EventID -auto

Note 3:  Please change -lt to -eq, and '100' to the EventID you are researching.

Note 4:  The above script is ready for remoting, just change the value of $Machine variable.

Guy Recommends:  A Free Trial of the Network Performance Monitor  (NPM)

SolarWinds' Network Performance Monitor will help you discover what's happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network  problems.  Its also has the ability to monitor the health of individual VMware  virtual machines.  If you are interested in troubleshooting, and creating  network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds' Network Performance Monitor

Check the basic connectivity to the other machine:

1. Net View
2. Ping RemoteComputerName
3. Ping IP Address
4. Windows Explorer --> Network

Note 5: You can run the first 3 commands from within PowerShell.

Remote PowerShell Commands to Try

# PowerShell script to enumerate the eventlogs on another computer
$RemoteComputer = "YourOtherMachine"
Get-Eventlog -List -ComputerName $RemoteComputer

Experiment with WMI

One benefit of choosing this WMI class is that you can use the -Credential parameter.

$Remote ="YourOtherMachine"
$AdminBod ="Admin??"
Get-WmiObject -Class Win32_NTLogEvent `
-ComputerName $Remote -Credential $Remote\$Adminbod

Try Remoting from Event Viewer GUI

• Launch Event Viewer
  (Show-Eventlog from inside PowerShell)
• Right-click Event Viewer (Local)
• Select 'Connect to Another Computer...'
• See screenshot opposite.

Note 6: You are amassing clues about what's working and what's not.

Enter-PSSession

In desperation I would create a remote session, and then run the Get-Eventlog commands as though I was a console user typing in PowerShell.

# Create a Remote Session.
Clear-Host
$Remote = "YourOtherMachine"
Enter-PSSession $Remote
Get-Eventlog -List
Exit-PSSession

Note 7: Once again, you probably need the -Credential   information; at least Enter-PSSession supports this useful connection   parameter.
Append: -Credential machine\admin

Guy  Recommends:  SolarWinds Free Wake-On-LAN Utility

Encouraging computers to sleep when they're not in use is a great idea - until you are away from your desk and need a file on that remote sleeping machine!

WOL also has business uses for example, rousing machines so that they can have update patches applied.  My real reason for recommending you download this free tool is because it's so much fun sending those 'Magic Packets'. Give WOL a try - it's free.

Download your free copy of SolarWinds Wake-On-LAN

Further Research on PowerShell Get-Eventlog

To get the most out of Get-Eventlog even experts turn to the trusty PowerShell techniques of Get-Help and Get-Member.  Once you understand the basics, there is huge enjoyment and satisfaction in getting the right script for the right job.

Research Get-Eventlog Parameters

# PowerShell's Get-Eventlog Parameters
Clear-Host
Get-Help Get-Eventlog -full

        Checking with Microsoft's help file will reveal useful parameters.  Always remember to define the log with -logfile.  I particularly like the -Newest, but for detailed research -before or -After maybe more useful.

Research Get-Eventlog Properties

# PowerShell Get-Eventlog Properties
Clear-Host
Get-Eventlog -Logname system -newest 1 | Get-Member -memberType property

        When you define the output with Format-Table or Out-File, it makes life easier if you can choose just the relevant properties, for example, Source, TimeWritten and Message.

      Researching Similar PowerShell Cmdlets

# PowerShell Get-Eventlog Cmdlet Research
Clear-Host
Get-Command -Noun Eventlog

Name
------------------
Clear-EventLog
Get-EventLog
Limit-EventLog
New-EventLog
Remove-EventLog
Show-EventLog
Write-EventLog

        The main result is to realize there is a sister command Write-Eventlog, you could also Clear-Eventlog.

See also Solarwinds Log and Event Manager »

 

Summary of Eventlog on Remote Computer

Remoting is the biggest improvement in PowerShell v 2.0.  On this page we have seen the importance of the -ComputerName parameter for interrogating eventlog files.  As a bonus we have experimented with listing EventIDs on both local and remote computers.