Summarize A Folder of Event Logs with PowerShell

Sometimes you want to get a rapid summary of errors/warnings in the multitude of Windows event logs on a system. Point this to a folder of event logs to get a summary!22863&authkey=!AOS4jOVgoFYI2JE&ithint=file%2czip

<# .SYNOPSIS Provides a summary of event log errors .DESCRIPTION When pointed to a folder of Windows Event Logs (.evtx files) Will provide a summary of all critical/warning/error events, sorted by most frequent to least frequent In format <Event log filename> - <Event log message> .EXAMPLE Get-EventSummary -Path C:\windows\system32\winevt .EXAMPLE Get-EventSummary -Path C:\eventlogs -Recurse .EXAMPLE Get-EventSummary -Path c:\eventlogs | Out-GridView .EXAMPLE Get-EventSummary -Path C:\eventlogs | Out-Csv C:\support\out.csv .PARAMETER Path Path containing the Windows event log files (.EVTX format) .PARAMETER Recurse If specified subfolders will also be searched for .EVTX files. .LINK #> [CmdletBinding()] Param( [Parameter(Mandatory=$true)] [string]$Path, [switch]$Recurse ) $CriticalWarningErrorFilter = @' <QueryList> <Query Id="0"> <Select>*[System[(Level=1 or Level=2 or Level=3)]]</Select> </Query> </QueryList> '@ $eventCount=@{} if ($recurse) { $files = Get-ChildItem -Path $path -Filter "*.evtx" -Recurse } else { $files = Get-ChildItem -Path $path -Filter "*.evtx" } ForEach ($file in $files) { Write-Host "Searching $file for Warnings/Errors" # erroraction = ignore, so when no events found matching filter an error is not thrown $events = Get-WinEvent -Path $file.FullName -FilterXPath $CriticalWarningErrorFilter -ErrorAction Ignore ForEach ($event in $events) { if ($event.Message -ne $null) { $eventCount["$file - $($event.Message)"]++ } } } return ($eventCount.GetEnumerator() | Sort-Object Value -Descending)

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in PowerShell and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s