Windows administrators very often they review the event logs on the windows workstations or server operating systems, generally in the event of any issue on the computers we have to look logs for the case, here in this we explain how to get multiple event ID’s on multiple remote computers with a simple code.
We need to understand types of loges and event ID’s a bit, there are application, security, setup, system and forwarded events base logs, we need to know their providers to query the log ID’s.
(Get-WinEvent -ListLog System).ProviderNames
This piece of code lists all the providers of the system, you can use this same command list providers for application, setup, security event logs.I want to query system reboot ID’s, Logoff ID’s and other, here is the simple code to query on multiple remote computers.
We need to create a file for storing all the servers or multiple machines list, I named it as Allservers.txt for and saved it in my local machine c:\temp\Allservers.txt
$Allserers = get-content -path "C:\temp\Allservers.txt"
Invoke-Command $allservers {
$Object = @{
logname = 'System'
ID = 6006,7002,7001
StartTime = [datetime]::Today.AddDays(-3)
EndTime = [datetime]::Today
}
Get-WinEvent -ObjectHashtable $Object
} | Select-Object MachineName,TimeCreated,ID,Message | Out-GridView -Title "Output" Above script brings up reboot, logoff, and users logon notification event ID’s on the remote computers, these are system event ID’s you can change these ID’s as per your need like application, setup, security event etc.
To run the above script, we need multiple remote computers and you have admin rights on those computers.
Thank you for reading this article, if you have any questions please let us know.
Thank you for visiting my site, for any scripts in these articles you are testing please make sure you have tested this script in our lower environment before you run in production
Leave a Reply Cancel reply