2

I am trying to read All log files from EventLog using Get-eventlog commandlet

Get-EventLog -LogName Application, Security -after 09/15/2016 -Before 09/17/2016

Instead of -LogName Application, I need all logs like Application, System, Security, etc.

Any help?

Andrey Marchuk
  • 13,301
  • 2
  • 36
  • 52
mansing shinde
  • 445
  • 7
  • 25

2 Answers2

4

You can get all the event logs like this:

(Get-WinEvent –ListLog * -ErrorAction SilentlyContinue).LogName

And then either do a loop across them to get events from each of the logs, or try to pass entire array as -LogName, but I can imaging that performance penalty will be huge in this case.

Also, Get-WinEvent was developed to replace the Get-EventLog, so you might want to use it instead. Here's some info: http://blog.netwrix.com/2015/04/06/monitoring-event-logs-with-powershell/

Jon
  • 9,156
  • 9
  • 56
  • 73
Andrey Marchuk
  • 13,301
  • 2
  • 36
  • 52
1

Here is a working code based on @andrey-marchuk's answer. All the log are appended in a single file( ⚠ save the file with encoding UTF-8 with BOM because of the @)

$Begin = '10/02/2022 09:00:00'
$End = '10/02/2022 09:15:05'
$path= "C:\Users\user\Desktop\logevent\\"
If(!(test-path $path))
{
      New-Item -ItemType Directory -Force -Path $path
}
$datetimenow =  [DateTime]::Now.ToString("yyyy_MM_dd HH_mm_ss")
$allLog = (Get-WinEvent –ListLog * -ErrorAction SilentlyContinue).LogName
foreach ($lognameName in $allLog){
Get-WinEvent -FilterHashtable @{logname = $lognameName; StartTime = "$Begin"; EndTime = "$End" }  | Select-Object * | Out-File -Enc UTF8 -Append "$path $datetimenow winevent.txt"
}

If you want to retrieve only specific info of the events, then replace Select-Object * by something like Select-Object TimeCreated, ID, LogName, Source, LevelDisplayName, Message

If you want separate files for each logname, you can do this, but be carefully, this will create > 400 files:

$Begin = '10/02/2022 09:00:00'
$End = '10/02/2022 09:15:05'
$path= "C:\Users\user\Desktop\logevent\\"
If(!(test-path $path))
{
      New-Item -ItemType Directory -Force -Path $path
}
$allLog = (Get-WinEvent –ListLog * -ErrorAction SilentlyContinue).LogName

foreach ($lognameName in $allLog){
$lognameFile = $lognameName.Replace("/", "-")
$datetimenow =  [DateTime]::Now.ToString("yyyy_MM_dd HH_mm_ss")
Get-WinEvent -FilterHashtable @{logname = $lognameName; StartTime = "$Begin"; EndTime = "$End" }  | Select-Object * | Out-File -Enc UTF8 -FilePath "$path $datetimenow winevent $lognameFile .txt"

}
MagTun
  • 5,619
  • 5
  • 63
  • 104