Forum Discussion

Tom_Lasswell's avatar
9 years ago

PowerShell Windows Event Log Monitoring

Switch from WMI based event log monitoring to PowerShell based. The command Get-WinEvent does not require PS-Remoting to be enabled and can use WMI pass-thru credentials (wmi.user and wmi.pass). This is going to be much more efficient than using WMI to grab event log data.

Example to get via JSON (though I was not yet able to get this to work properly with script based eventsource).

$events = Get-WinEvent -ComputerName $hostname -Credential $remotecredential -LogName Application

$events | Select-Object @{Name = "happenedOn"; Expression = {$_.TimeCreated}}, @{Name = "Severity"; Expression = {$_.LevelDisplayName}}, message, @{Name = "Source"; Expression = {$_.ProviderName}} | ConvertTo-Json

$arr=@{}

$arr["events"] = @{}

$arr.events = $events | Select-Object @{Name = "happenedOn"; Expression = {[string]$_.TimeCreated}}, @{Name = "Severity"; Expression = {$_.LevelDisplayName}}, message, @{Name = "Source"; Expression = {$_.ProviderName}}

$arr | ConvertTo-Json

  • provides proper JSON for the script eventsource (though that appears to not like to pass parameters for tokens, so unable to use as well).

    $events = Get-WinEvent -ComputerName $hostname -Credential $remotecredential -LogName Application

    if ($events) {

    $arr=@{}

    $arr["events"] = @{}

    $arr.events = $events | Select-Object @{Name = "happenedOn"; Expression = {$($_.TimeCreated.ToUniversalTime().ToString("ddd MMM dd hh:mm:ss UTC yyyy"))}}, @{Name = "Severity"; Expression = {"error"}}, message, @{Name = "Source"; Expression = {$_.ProviderName}}

    $output = $arr | ConvertTo-Json -Compress

    write-host $output

    }