Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to pull eventlogs during the last week only 1

Status
Not open for further replies.

pandu101

MIS
Sep 20, 2010
17
US
Hello,

I use the following code to get events from the security log, by computername and event id. I need to take it one step further. I want to pull these events that occurred during the last week. How can I modify the command below to do this? I know it has something to do with TimeGenerated but not sure how to structure it so that only the last week's events are pulled. TIA

Code:
Get-WmiObject -Class win32_NTLogEvent -filter "logfile = '$log' and EventCode = '$eventID'" -computerName $computerName
 
Actually the full code is this:

Code:
Function Get-EventsByWmi($computerName,$log,$eventID) #the params defined above are used as inputs here in the function definition
{
 Get-WmiObject -Class win32_NTLogEvent -filter "logfile = '$log' and EventCode = '$eventID'" -computerName $computerName 
} #end
 
If you have or can upgrade to PowerShell v2, the Get-EventLog cmdlet has been updated to include -After <DateTime> and -Before <DateTime> parameters. In place of your Get-WmiObject statement you should be able to do something like this
Code:
Get-EventLog -LogName $log -ComputerName $computerName -After (Get-Date).AddDays(-7) | Where {$_.eventID -eq $eventID}

Sadly enough the cmdlet doesn't have an EventID parameter, which is why the pipe to Where is needed.

You could probably add
Code:
and TimeGenerated > $timeperiod
to your WMI -filter, but you'd have to search for how to convert the time to the format expected by TimeGenerated.
 
Thanks crobin1! But I heard that get-eventlog does not run remotely, that is why I am using WMI to get the event log remotely. But maybe in v2 of Powershell, they might have added the ability to run it remotely also?
 
In PowerShell v1 Get-EventLog could not run against remote computers, but in v2 they added the -ComputerName parameter (as in the code above). This lets you retrieve logs from remote computers, even if the remote computer does not have PowerShell installed.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top