Search through event logs using Get-WinEvent: Reference
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#Get full list of event log names to use in filters:Get-WinEvent -ListLog *#Get events from multiple logs in a time period (last day)$StartDate =(Get-Date)-(New-TimeSpan -Day 1)Get-WinEvent Application,System |Where-Object{($_.LevelDisplayName-eq"Error"-or $_.LevelDisplayName-eq"Warning")-and($_.TimeCreated-ge $StartDate )}#Search for events in a specific time periodGet-winevent -filterhashtable @{logname="Microsoft-Windows-TerminalServices-SessionBroker/Operational"; starttime="12:20pm"; EndTime="12:25pm"}|Where-Object{$_.Message-like"**"}#Find Events by IDGet-WinEvent -FilterHashtable @{logname='System';id=1074}|ft TimeCreated,Id,Message
#Find Specific Text in messageGet-WinEvent -FilterHashtable @{logname='System'}|Where {$_.Message-like"*USB*"}#Get Events from Remote computers$servers = @("server1","Server2")$servers |foreach-object{Get-WinEvent -ComputerName $_ -FilterHashtable @{logname="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"}|Where-Object{$_.Message-like"**"}}