PowerShell is an excellent tool for searching through Windows event logs. I find myself using it more and more these days as it enables me to find the information I need much quicker than using the filter feature of the Event Viewer snap in.
The cmdlet to use for searching the event logs is get-eventlog. For the full help file from PowerShell, enter the following
helpGet-EventLog-Full
The get-eventlog cmdlet uses the switch -LogName. This is used to specify the event log you want to search, eg System, Application etc.
To get a list of available event logs, enter
Get-EventLog-List or Get-EventLog-LogName*
You can then list all events from that event log with the command Get-EventLog -LogName LogName Eg,
Get-EventLog-LogNameSystem
This will return everything from the event log, probably hundreds or even thousands of events, so the next job is to filter for the events you are interested in.
We can examine an individual event log to get an idea of how to filter
Get-EventLog-LogNameSystem-Newest1
This command will return the most recent System event log
The information displayed is a subset of the complete data available for this event log. PowerShell will automatically select the columns to display so that it fits easily on the screen. To see everything, we need to pipe the output to the format-list cmdlet.
Get-EventLog-LogNameSystem-Newest1|Format-List-Property* This command returns all the properties and values for this event log
Now you can see all the familiar properties of the event, such as EventID, EntryType, Time Written etc. I can now filter my result based on one or more of these properties.
For example, show all events where the message contains "the service entered the stopped state" show all events where the event id equals 41 and the date is 10 Jan 2015 show all events where the EntryType is error, the source is Asp.Net or .Net runtime and the date is between 01 Jan - 10 Jan 2015
All of this is achieved by piping the results of get-eventlog to the where-object cmdlet
Get-EventLog-LogNameSystem|Where-Object { $_.Message -like"*the service entered the stopped state*" }
In this example you can see that I have used the Message property of the event and the -like operator to match it to the text I am looking for.
Get-EventLog-LogNameSystem|Where-Object { $_.EventID -eq41-and$_.TimeWritten -like"01/14/2015*" } In this example you can see that I have used the EventID and TimeWritten properties of the event $_.EventID -eq 41 $_.TimeWritten -like "01/14/2015*"
The -and operator links these two properties together
In this example I use the date property of the get-eventlog results to filter the events before passing them to the where-object cmdlet. This is done using the -before and -after switches. After that, the where-object command is used in the same way as the previous examples.
The only difference is the two $_.Source properties are surround by brackets (). This is necessary so that the -or operator applies to only those two entries. I could add more $_.Source properties inside the brackets with additional -or operators if I wanted to increase this list beyond 2.
Windows Server 2003 running IIS 6 does not support the latest version of PowerShell, and will not allow the use of the WebAdministration module or the most recent IIS cmdlets (see this site for WebAdministration Cmdlets http://technet.microsoft.com/en-us/library/ee790599.aspx) To use PowerShell with IIS 6, you must use WMI, specifically the IIS WMI provider. To do this, use the Get-WmiObject cmdlet. The WMI namespace is root/Microsoftv2. The following link gives a list of classes that can be used: http://msdn.microsoft.com/en-us/library/ms525265(v=vs.90).aspx
WMI Classes
I experimented with the different classes to find the properties that I needed. For example IISWebServer will give information on each site, IISWebServerSetting will give more detailed information on each site. IISWebVirtualDir will give information on virtual directories and applications and IISWebVirtualDirSetting will again give more detail on virtual directories and applications.
For example, try running each of these commands, then view the results to see how the output changes. Get-WmiObject-Namespace"root/MicrosoftIISv2"-ClassIIsWebServer Get-WmiObject-Namespace"root/MicrosoftIISv2"-ClassIIsWebServerSetting Get-WmiObject-Namespace"root/MicrosoftIISv2"-ClassIIsWebVirtualDir Get-WmiObject-Namespace"root/MicrosoftIISv2"-ClassIIsWebVirtualDirSetting
The next step is to use the where-object and select-object cmdlets to display only the results you want.
Eg. This command will return a list of sites by site ID Get-WmiObject-Namespace"root/MicrosoftIISv2"-ClassIIsWebServer|Select-Object-ExpandPropertyName
Whereas this command will return a specific site by specifying the site ID Get-WmiObject-Namespace"root/MicrosoftIISv2"-ClassIIsWebServer|Where-Object { $_.Name -like"W3SVC/123456789" }
Also, this command will return a specific site by specifying the site ID along with all the settings for that site Get-WmiObject-Namespace"root/MicrosoftIISv2"-ClassIIsWebServerSetting|Where-Object { $_.Name -like"W3SVC/123456789" }
I was interested in listing all Physical Paths that were being used by each site in IIS. For this I need the IISWebVirtualDirSetting class and the Path property
I put this all together into a script that will output the site name followed by a list of all Physical Paths in use by IIS. One of the challenges here was identifying a class that contained both the site name and physical path. This was not possible with one class, so I had to do it in stages.
I obtained theName property fromIIsWebServer class. This is the Site ID, and I can use this to filter bothServerComment property fromIIsWebServerSettingclass for a user friendly website name, and thepath property fromIIsWebVirtualDirSettingfor the Physical Path
One more thing to note is that I use -ExpandProperty rather than -Property to filter the results from the where-object and select-object cmdlets. This is to convert the output to a string. If I don't do this, I get the object itself, rather than a string containing the objects. To see what this actually means, try running these two commands and notice the difference in the results and the available methods and properties.
