0

Can anyone help me to convert below command into wmi query or get-wmiobj -filter, as it takes more time for remote servers.

Get-EventLog -ComputerName $Comp -LogName System -After (Get-Date).AddDays(-3) -ErrorAction Stop |
         ? { $_.EntryType -eq "Critical" -or $_.EntryType -eq "Warning" -or $_.EntryType -eq "Error"}

Thx for your time.

Ritesh
  • 45
  • 2
  • 6

1 Answers1

2

Try doing the filtering on the remote host instead of retrieving events of all types first and filtering them afterwards:

Get-EventLog -Computer $Comp -LogName System -EventType Error,Warning `
  -After (Get-Date).AddDays(-3) -ErrorAction Stop

There isn't an event type "Critical", BTW.

If you must use WMI, something like this should work:

$age    = (Get-Date).AddDays(-3).ToUniversalTime()
$ts     = [System.Management.ManagementDateTimeconverter]::ToDmtfDateTime($age)
$filter = "LogFile='System' AND TimeGenerated>='$ts' AND EventType<=2"

gwmi Win32_NTLogEvent -Filter $filter -Computer $Comp -EnableAllPrivileges
Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
  • Thx for your code. Win08 R2 has "Critical" event type so how to add in this script. Is EventType<=2 will include 'Critical' event type. – Ritesh Sep 10 '13 at 13:50
  • Nobody at Microsoft seems to have bothered updating the documentation with a new event type. Perhaps something like `... AND (Type='Warning' OR Type='Error' OR Type='Critical')` would work. – Ansgar Wiechers Sep 10 '13 at 14:12
  • After some more research it looks like both `Get-EventLog` and `Get-WMIObject` show 'Critical' events with event type 1, so `EventType<=2` will include them. – Ansgar Wiechers Sep 11 '13 at 07:01
  • "FL *" shows "Critical" events are EventType:1. I got the result what I expected. Thanks for your time and Help. – Ritesh Sep 11 '13 at 13:12