Finding the most common errors in event logs using Powershell.

Question

I have the event logs for one of our servers locally in .evtx format. I can load the log file into PS using the command:

Get-WinEvent -Path D:\Desktop\serverlogs.evtx

What I would like to do is on the Message field group events where the text matches by a certain percent (say 80% the same). As we have stacktraces for errors in the details which will be the same, but we also log the client's IP, url that was accessed which will likely be different.

I want to group them so that I can work out the most common errors to prioritize fixing them and as there are 25,000+ errors in the log file I would rather not do it manually.

I think I can work out how to do most of this, but am not sure how I could do the 'group fields which are mostly the same' part, does powershell have anything like this built in?

Answer 1

First, you want to filter out as much as you can because the next step uses the Where-Object cmdlet, which can be slow for this sort of thing (unfortunately, it doesn't look like any of the arguments for Get-WinEvent support wildcards for the Message property of an event).

For example, get just the "error" level events:

$events = Get-WinEvent -FilterHashTable @{ Path="D:\Desktop\serverlogs.evtx";Level=2 }

Then, you can use -match or -like to further filter down to the ones that have similar text:

$events = $events | ?{ $_.Message -match "your similar error here" }

Now that you have narrowed down the list, you can pipe the results to the Group-Object cmdlet, specifying that you want to group them on the "Message" property of the event:

$events | Group-Object -Property Message

Answer 2

Although you asked how to do this in Powershell, I'd suggest also having a look at Microsoft Log Parser This will enable you to write SQL-like queries against your logs (and a whole raft of other useful tricks). No reason why you couldn't drive it from Powershell either.