When the system log analysis and audit, system administrators often need to manually screened and statistics of the Windows shutdown events. I have been previously screened manually directly in Event Viewer, if you want to manage many servers, manually operated it will be very troublesome and inefficient. So think of a filter to automatically shutdown events in the Windows event log with the Get-EventLog cmdlet PowerShell.
Use Get-EventLog cmdlet super-simple
Windows PowerShell cmdlet 2 provides analytical event logs: one is the Get-WinEvent, super strong, but use up more trouble; the other is the Get-EventLog, making it fairly simple, real-time screening. Today we'll go into detail about the simple use of Get-EventLog.
Starting Windows XP and Windows Server 2003, Windows will have the Shutdown Event Tracker program, it can keep track of the Windows operating system shutdown events and writes them to the system log sources among USER32. Therefore, we can directly use the Get-EventLog cmdlet to the system log search for such information:
Get-EventLog -LogName system -Source user32
Typically for an administrator or user, but also shut down the event there are two kinds, namely: normal and non-normal shutdown shutdown events. Usually we are only concerned with events such as abnormal shutdown caused by a blue screen, power down.
On the Filter shutdown events, we can group by EventID event will use the following command:
Get-EventLog -LogName system -Source user32 | group EventID
You can see from the figure above, we are currently only EventID: 1074 events a total of 25 times.
If you want to see the details of the shutdown event, we can be thrown into the Format-List cmdlet to format the output. (Fl Format-List is an alias)
Get-EventLog -LogName system -Source user32 -Newest 1 | fl *
Details of the output comprises: a machine name, an event generation time series content, the user name, message, etc., for which we can pick useful information selectively output. For example, we have only to shut down the event generation time (TimeGenerated) and message (Message) of interest, so you can be output.
Get-EventLog -LogName system -Source user32 | Select TimeGenerated, Message
From the figure above we can see the sort of shutdown events are arranged in chronological order, if you want to initiate the process of classification by ordering the shutdown event can be written like this:
Get-EventLog -LogName system -Source user32 | Select TimeGenerated, Message | sort message
This looks like a little, but the Message column of output is too long, let's sort out below:
Get-EventLog -LogName system -Source user32 | Select TimeGenerated, Message | sort message | ft -Wrap
Here we come to the screening shutdown events in the Windows event log on using PowerShell's Get-EventLog cmdlet should have a preliminary understanding, it is not very simple to use. Use PowerShell remote management features, you can perform batch information collection on the server is very convenient.
Product is slightly Library http://www.pinlue.com/