1

I would like to find the single most recent occurrence of a list of certain event id's for multiple servers. I don't see a nice way to do this. If I use the -newest switch I have to play around with the number based on the relative size of each server's event log and the chances of the events I'm interested in occurring within that number of entries. In my example below, the server F6WINMSSTEST3 does not have what I'm looking for in the first 10,000 entries. Anyone know a good way to do this?

What I would like is to list single instances of the latest entry for each ID of the events I'm looking for, for each server so I can see when they occurred. In a perfect world, each server would list the most recent 3 ID's. 

$Servers = "F6WINMSSTEST","F6WINMSSTEST2","F6WINMSSTEST3","F6WINMSSTEST4","F6WINMSSTEST5" 

Foreach ($server in $Servers) {

$server

get-eventlog -computer $server -logname system -newest 10000 | where-object { $_.eventid -   eq 6005 -or  $_.eventid -eq 6009 -or  $_.eventid -eq 6006} }

Sample output:

F6WINMSSTEST

   Index Time          EntryType   Source                 InstanceID Message                                                                                                                               
   ----- ----          ---------   ------                 ---------- -------                                                                                                                               
  108265 Feb 08 08:33  Information EventLog               2147489653 The Event log service was started.                                                                                                    
  108264 Feb 08 08:33  Information EventLog               2147489657 Microsoft (R) Windows (R) 6.01. 7601 Service Pack 1 Multiprocessor Free.                                                              
  108247 Feb 08 08:31  Information EventLog               2147489654 The Event log service was stopped.                                                                                                    
  104703 Nov 16 08:41  Information EventLog               2147489653 The Event log service was started.                                                                                                    
  104702 Nov 16 08:41  Information EventLog               2147489657 Microsoft (R) Windows (R) 6.01. 7601 Service Pack 1 Multiprocessor Free.                                                              
  104688 Nov 16 08:39  Information EventLog               2147489654 The Event log service was stopped.                                                                                                    
F6WINMSSTEST2
   39265 Jul 06 08:01  Information EventLog               2147489653 The Event log service was started.                                                                                                    
   39264 Jul 06 08:01  Information EventLog               2147489657 Microsoft (R) Windows (R) 6.00. 6002 Service Pack 2 Multiprocessor Free.                                                              
   39249 Jul 06 08:00  Information EventLog               2147489654 The Event log service was stopped.                                                                                                    
   39060 Jul 06 02:03  Information EventLog               2147489653 The Event log service was started.                                                                                                    
   39059 Jul 06 02:03  Information EventLog               2147489657 Microsoft (R) Windows (R) 6.00. 6002 Service Pack 2 Multiprocessor Free.                                                              
   39044 Jul 06 02:02  Information EventLog               2147489654 The Event log service was stopped.                                                                                                    
F6WINMSSTEST3
F6WINMSSTEST4
    6591 Jul 06 08:01  Information EventLog               2147489653 The Event log service was started.                                                                                                    
    6590 Jul 06 08:01  Information EventLog               2147489657 Microsoft (R) Windows (R) 5.02. 3790 Service Pack 2 Uniprocessor Free.                                                                
    6589 Jul 06 08:00  Information EventLog               2147489654 The Event log service was stopped.                                                                                                    
    6531 Jul 05 11:52  Information EventLog               2147489653 The Event log service was started.                                                                                                    
    6530 Jul 05 11:52  Information EventLog               2147489657 Microsoft (R) Windows (R) 5.02. 3790 Service Pack 2 Uniprocessor Free.                                                                
    6529 Jul 05 11:51  Information EventLog               2147489654 The Event log service was stopped.                                                                                                    
F6WINMSSTEST5
   55124 Nov 06 19:11  Information EventLog               2147489653 The Event log service was started.                                                                                                    
   55123 Nov 06 19:11  Information EventLog               2147489657 Microsoft (R) Windows (R) 5.02. 3790 Service Pack 2 Uniprocessor Free.                                                                
   55122 Nov 06 19:10  Information EventLog               2147489654 The Event log service was stopped.
Kohlbrr
  • 3,861
  • 1
  • 21
  • 24
user1854377
  • 33
  • 2
  • 5

2 Answers2

0

I wrote and then deleted this post a couple of times, and now I think I found out what's going on.

  • Anything which writes an event log entry writes a field called 'EventID'
  • This doesn't really contain the EventID, it actually contains some extra data in the high bits of the value
  • The EventViewer / PowerShell / etc. strip the high bits away and present the result as EventId
  • They surface the original value as InstanceId, which may match the EventID, but may not.

This leads to the following situation:

  • Two completely different events might have the same EventID, it might clash. You have to also check the 'Source' is the one you want.
  • Getting the EventID through PowerShell is slow, getting the InstanceId is fast because it's indexed.

So for your question, if you can get one of each of those events, then get the InstanceID, then you can ask Get-EventLog for the InstanceIds of the events you care about and then use -newest 1.

Try:

$Servers = "F6WINMSSTEST","F6WINMSSTEST2","F6WINMSSTEST3","F6WINMSSTEST4","F6WINMSSTEST5" 

ForEach ($server in $Servers) {
    Write-Output $server
    Get-EventLog -computer $server -LogName System -InstanceId ?,?,? -Newest 1 
}

When you find the instanceIDs.

Specifying -Source might be a good idea, too.

Otherwise this discussion: http://social.technet.microsoft.com/Forums/scriptcenter/en-US/616b67ee-9e71-4f23-abb8-5c88e8890b9e/event-logs-relationship-between-instanceid-and-eventid?forum=ITCG is where I got the above from, and is someone with the same question as you, and they comment:

Get-WinEvent cmdlet accepts a -FilterXML parameter, in which you can specify the EventID. So this sorts out the problem for up-level machines, but for down-level machines (I wish there was a better way of saying "2000-XP-2K3" / "Vista-7-2008") we still have to filter after the fact, if you see what I mean.

If you can go for the InstanceId that should be much faster, but I'd like to see an authoritative reference that says it's stable and reliable, or can't clash, or similar.

TessellatingHeckler
  • 27,511
  • 4
  • 48
  • 87
0

In my queries, the return has always been listed newest to oldest. That makes this command work to bring back only the newest:

get-eventlog  -logname system  | where ((eventid -eq 6005) -or (eventid -eq 6006) -or (eventid -eq 6009)) | select -first 1
J0e3gan
  • 8,740
  • 10
  • 53
  • 80
Tony A
  • 21
  • 2