Suppose you want to search your event logs for the last time someone logged onto a server. PowerShell makes it easy. Or suppose you want to know the last time a certain event occurred.
To search the event log for events with a specific event ID using PowerShell, you can use the Get-EventLog cmdlet to retrieve the events and then use the Where-Object cmdlet to filter the events based on the event ID.
For example, the following command retrieves all events from the application event log and filters them by the “4624” event ID:
$Events = Get-EventLog -LogName "Application" | Where-Object { $_.EventId -eq 4624 }
This command retrieves all events from the application event log and then uses the Where-Object cmdlet to filter the events based on the value of the InstanceId property. The Where-Object cmdlet compares the value of the InstanceId property to the value “4624” using the -eq operator, which stands for “equal to.”
You can specify any event ID that you want to search for by replacing the value “4624” with the desired event ID.
You can also use the Get-EventLog cmdlet to search for events in other logs, such as the system event log or the security event log. Simply specify the name of the log that you want to search in the -LogName parameter. For example:
You can then print out $Events
$Events = Get-EventLog -LogName "Security" | Where-Object { $_.EventId -eq 4624 }
The Get-EventLog cmdlet returns events as objects, with each object representing a single event. The properties of the event objects, such as EventId, TimeGenerated, and Message, can be accessed using dot notation, as in $Event.EventId or $Event.TimeGenerated.
However, when you use the Format-Table cmdlet to display the events, only the properties that are included in the table view will be shown. By default, the Format-Table cmdlet includes only a limited set of properties in the table view.
To include the EventId property in the table view, you can use the -Property parameter of the Format-Table cmdlet to specify the properties that you want to include. For example:
$Events | Format-Table -Property EventId, TimeGenerated, Message
This command displays the EventId, TimeGenerated, Message, Source, and UserName properties of the events in a table.
Keep in mind that the properties that are available on the event objects depend on the log and the type of event. Not all properties will be available for all events.
If you want to look through the object in PowerShell, you can also use a for loop, to filter through the results.
$Events | ForEach-Object {
Write-Host $_.EventId
}The ForEach-Object cmdlet will iterate through each event in the $Events collection, and the code inside the loop will be executed for each event. The $_ variable represents the current item being processed by the loop. In this case, the $_.EventId property of the current event is accessed and printed to the console using the Write-Host cmdlet.
