Category filter
Script to Fetch Windows device logs
Windows device logs are detailed records of events in the operating system or the installed applications. As a system administrator, you can analyze these logs to troubleshoot any particular issue that occurs on the device. With Hexnode’s Execute Custom Script action, you can push custom scripts to remotely fetch the device logs on your Windows devices.
The sample scripts provided below are adapted from third-party open-source sites.
PowerShell script
To view the list of available event logs available on the Windows device, you can run the following command:
|
1 |
Get-EventLog -List |
The Get-EventLog cmdlet can be used to access the event logs of a Windows device. You can invoke various parameters along with the Get-EventLog cmdlet to filter and fetch only the required logs. The LogName is a mandatory parameter used to fetch device logs using PowerShell. The LogName parameter specifies the name of the event log for which the log is to be fetched.
Get the latest entries from an event log
To fetch only the recent entries from a specific event log, you can invoke the Newest parameter along with LogName, and specify the required number of the log entries.
For example, to fetch the latest five entries from the System event log:
|
1 |
Get-EventLog -LogName System -Newest 5 |
Get error events from a specific event log
You can retrieve only the error events by invoking the EntryType parameter.
For example:
|
1 |
Get-EventLog -LogName System -EntryType Error |
Executing the above script will fetch only the error events from the System event log.
Get event logs from event tracing log files
The Get-EventLog cmdlet may not produce accurate results on Windows Vista and later versions. Therefore, it is recommended to use the Get-WinEvent cmdlet to retrieve events from event logs and event tracing logs from such devices.
To fetch the list of all the event logs present on the Windows device, you can execute the following command:
|
1 |
Get-WinEvent -ListLog * |
The Get-WinEvent cmdlet can fetch events from event logs and arrange them in the oldest to newest order. In addition, with various parameters along with this cmdlet, like the LogName parameter, it can fetch events from a specific event log (security logs in this case).
Get the recent entries from an event log
The following sample script explains how to fetch only the latest events from a specific event log.
|
1 |
Get-WinEvent -LogName Security | Sort-Object TimeCreated –Descending | Select-Object –First 10 | Format-List |
The Sort-Object cmdlet sorts out the event logs in an ascending/descending order based on the property defined (TimeCreated in this case).
The Select-Object cmdlet selects the events based on the property defined (‘first 10’ in this case), the number can be defined as per the requirement.
The Format-List cmdlet is used to format the information obtained from the event logs; it will help to lay out the information in a listed format. The results include event details, time created, ID, display name, and message from the event logs.
- It is recommended to manually validate the script execution on a system before executing the action in bulk.
- Hexnode will not be responsible for any damage/loss to the system on the behavior of the script.
