►
From YouTube: PSS: Search Event Logs Like A Boss with Phil Bossman
Description
PowerShell Saturday is a training event for all things PowerShell. The event was held in Raleigh North Carolina and hosted by Research Triangle PowerShell User Group.
In this session Phil Bossman discusses Event logs. Phil will share with you some tips and tricks to searching the event log, and how PowerShell can help you supercharge event log searches.
The files for Phil's slides and code can be found on our github page:
https://github.com/rtpsug/PowerShell-Saturday/tree/master/2019-NC.State
A
All
right:
well
thanks
everybody
for
coming
this
session
and
I'm
glad
to
have
a
first
session
of
the
day.
The
session
is
surging
event
logs,
like
a
boss.
I
am
Phil
bossman,
so
that
you
know
it's
the
best
little
pun,
you'll
get
and
I'm
very
sorry
for
it,
so
certainly
would
think
the
sponsors
we
currently
have
front
here
and
everybody
else.
So
that's
your
generic
slide,
who
I
am
I,
am
the
lost
men
I,
any
user
computing
act
architect.
A
Basically,
what
it
means
is:
I
manage
applications
and
delivery
to
of
applications
across
an
environment,
citrix,
ad,
vmware
and
stuff
like
that
using
powershell
for
many
years
since
t2.
Also
the
co-leader
of
the
PowerShell
user
group
kind
of
you
heard
heard
some
of
that
thing.
I'm
also
super
excited
I'm
gonna.
Do
it
a
chapter
in
the
partial
conference
book
and
we're
super
excited
they'll
be
raffled
off
this
afternoon
too,
as
well.
So
two
copies
will
be
raffled
off
this
afternoon.
You
find
me
on
Twitter
I'm
at
Schlag,
at
Schlag.
A
There's
websites
like
com,
I,
don't
really
tweet
I,
don't
really
blog
very
often
Mike's
trying
to
get
me
to
do
that.
More
often
because
he's
a
big
blogger,
but
what
about
that
later?
So,
let's
get
into
the
content,
because
no
really
that's
the
next
slide
is
hey.
Let's
talk
about
content,
let's
get
the
weeds
working,
so
here
we
go
back.
A
Let's
go
to.
This
is
where
we
want
to
be
EDS
code,
all
right
so
event
logs.
Everybody
is
working
with
Windows
event
logs
at
this
point
now
the
PowerShell
is
core
and
you
can
go
across
Platt
we're
talking
about
Windows
event
logs.
Okay,
a
brief
history
at
this
point
is
when,
whenever
you're
working
with
PowerShell
at
this
point,
everybody
should
know
I'm
not
screaming.
Oh,
you
know
what
that's
why
I'm
sorry,
you
guys
have
told
me
that
I'm
not
showing.
A
Sorry
about
that,
okay,
so,
if
you're
fairly
new
to
PowerShell
or
you're,
not
doing
it
already,
you
should
be
using
get
help.
Okay,
so
let's
get
helping.
Why
is
it
important
is
basically
gives
you
a
bunch
information
and
I
like
with
show-window,
because
it
will
you
can
do
searching
you
can
do
you
search
and
get
the
parameters,
give
examples,
and
such
so
first
thing
is
when
you
env2.
A
A
So
the
reason
I
point
that
out
is
when
there
are
certain
things
that
you
can
do
it
get
event
log
and
which
are
limited
when
you
move
on
later,
okay,
so
again,
kind
of
what
is
the
event
log
event.
Log
is
the
dumping
information
where
Microsoft
puts
all
its
information
into
events
which
I
think
and
all
the
relevant
application
events
at
that
point.
So
you
have
application
services,
yeah
so
get
event
log.
You
can
hear
all
the
available
parameters
to
you.
There's
also
on
a
way
to
get
you
the
newest,
before
computer
name.
A
A
Made
this
bigger,
so
this
is
the
same
thing:
you'd
normally
see
when
you're
looking
at
the
event
logs,
but
this
is
PowerShell
and
I
mean
you're.
Gonna
probably
hear
me
say
that
multiple
multiple
times
is
this
is
PowerShell.
So
what
does
that
mean?
You
need
to
feel
the
power
and
use
the
power
of
the
show.
That's
my
term
is
use
the
power
of
the
show,
so
we
have
basically
a
bunch
of
columns.
A
Well,
that's
kind
of
similar
to
what
we
kind
of
see
here
when
we
open
the
log
here
we
have
all
these
different
parts,
so
we
can
look
at
and
it's
pretty
much
the
same.
So
what's
the
value
at
that
point,
but
effectively,
these
are
all
individual
objects,
so
you
can
select
out
the
newest
one.
You
can
then
pass
in
parameters
like
give
me
all
the
ones
that
are
this
particular
ID.
A
You
can
still
do
some
of
that
filtering
inside
the
GUI
version,
but
the
value
becomes
is
that
I
can
do
this
on
a
machine
and
I
can
then
hey
dump
this
to
an
excel
file?
I
can
dump
this
to
a
CSV
and
I.
Can
then
parse
it?
Okay,
so
what
we
looked
at
before
with
the
parameters
you
can
reference
remote
computers,
so
we're
just
going
to
my
laboratory
using
localhost.
You
can
define
the
long
type.
Okay,
the
type
there's
there's
the
system
log.
We
want
just
the
information
and
then
we
want
the
newest
20.
A
Just
first
20
of
that
information
log,
but
the
point
is
we're
gonna
use
PowerShell
to
our
unit.
This
is
PowerShell.
So
hey
give
me
the
application
log,
ok,
but
there's
no
reason
why
I
couldn't
throw
in
other
PowerShell
code
inside
of
your
other
working
process
like
I
went
after
a
date.
Well,
the
system
itself,
one
it
has
to
say,
give
me
this
particular
date.
Well,
I
can
infer
I.
Can
dynamically
generate
that
date
by
something
else
like
some
other
PowerShell
code,
so
give
me
the
date
me
go
back
to
couple
hours
and
that's
the
date.
A
A
And
so
here
it
is
back
one
hour
plus
11
hours
now,
I'm
just
doing
this.
Just
so
I
get
everything
today.
But
again
here
we
go
with
PowerShell.
This
is
if
you're,
not
if
you're
haven't
been
working
with
PowerShell
very
long,
you
can
there's
something
called
splatting
involved,
so
you
can
instead
of
having
this
long
single
line.
That's
that
runs
into
multiple
multiple
lines.
A
A
This
whole
piece
is
roughly
the
exact
same
as
they
thing
so
give
me
the
log
name:
I
can
infer
again,
we
didn't
do
a
an
ad
in
remove
at
this
point,
but
I
can
just
define
a
particular
date
and
give
me
the
first
20.
So
you
can
take
some
of
those
parameters
and
put
it
that
way
from
there.
So
get
member
so
I
briefly
talked
about
before
is
that
when
you're
working
with
PowerShell
they're
all
coming
back,
it's
not
just
line
items,
it's
not
a
and
it
excuse
me,
it's
not
a
it's,
not
a
table.
A
It's
not
at
the
table
of
text.
It's
actually
inferred
objects,
it's
full
objects
that
are
instantiated,
they
have
methods,
they
have
properties
and
they
have
script
properties
as
well,
and
so
you
can
get
the
type
you
can
get
that,
but
here's
all
the
properties
that
we
normally
see
in
table
form,
and
so
the
reason
we
do
that
is
yeah,
so
that
we
can
then
use
the
data
later
on
when
inside
the
get
event
log.
One
of
the
downsides
are
limitations
of
get
event.
Log
is
the
you're
only
limited
to
the
canned
stuff.
A
That's
inside
of
only
the
stuff
listed
right
here
is
what
we've
got
a
bit
long
so
later
on
we'll
get
to
it.
So
we
can
get
into
all
of
this
advanced
stuff
down
here
and
that
will
come
later
on
when
we
move
to
the
next
command
line,
so
get
a
red
log.
So
you
can
get
any
one
of
these.
If
you
just
get
the
log
and
then
list
of
logs,
so
you
figure
out
what
logs
are
available
to
you.
A
It
also
gives
you
a
count
and
how
many
entries
are
in
there,
so
how
big
it
is
and
then
how
many
entries,
of
course
security
is
huge,
but
there
are
events
for
PowerShell
itself.
So
PowerShell
is
a
is
logging
in
your
system,
but
so
here's
another
example
using
get
event.
Log
is
this:
is
PowerShell
okay,
so
I'm
going
to
just
walk
through
this
really
quickly
in
the
form
of
that
in
the
old
way
we're
gonna
use
the
pipeline.
A
A
No,
do
that
so
I
can
then
group
them
all
and
then
I
want
to
throw
all
the
count.
Then
I'm
a
name
I'm
gonna
figure.
What
the
source
is
and
I'm
gonna
figure
out
and
I'm
gonna
uniquely
join
all
the
groups
together
and
then
I'm
gonna
sort
it.
So
what
are
we
gonna
get
here
and
then
we'll
explain
what
we
got.
A
So
what
is
this
doing?
So
I
got
everything
out
of
the
event
application
log,
okay
and
for
every
for
every
ID
in
there
figured
what
sources
there
are.
So
that's
really
what
we're
doing
here
so
grouping
everything
by
ID,
so
I'm,
counting
all
the
IDS
counting
all
the
IDS,
then
I
get
to
count
the
name
and
then
I
dynamically
generate
what
source
they
came
from.
So
that
may
be
information
that
we
kind
of
see.
A
A
Start
off
there
is
that,
if
you're
dealing
with
some
old,
the
effective
old
way
of
doing
it
is
because,
if
you
still
with
2008
our
two
servers
or
you
don't
PowerShell
to
that's
the
limitation
which
you
have
so
you
still
have
a
lot
of
power,
but
really
couldn't
that's
really
all
you
do
you
do
some
piping?
You
can
do
some
organization,
you
can
do
some
sorting,
that's
what
you
can
do
with
it.
A
A
So
get
win
event
is
the
newer
version
of
power
shells,
event
log
tracker.
Okay,
so
you
still
have
the
normal
things.
We
talked
about.
I.
Think
I,
look
at
it
here,
so
the
available
parameters
to
you
are
more.
You
have
more
parameter
sets
itself
the
terms
call,
so
you
can
get
it
based
upon
log
name,
you
can
you
can
list
all
the
laws
available
to
you,
there's
something
called
the
provider
so
based
upon
that
this,
the
the
provider
set.
That's
there,
you
can
list
them
there.
You
can
list
the
providers.
A
You
can
then
also
I
want
to
get
some
data
based
upon
a
hash
table.
I
want
to
give
get
in
a
bit
the
hash
table.
You
know
kind
of
like
we
did
this
body
thing,
but
give
it
a
hash
table
and
then
go
get
me.
My
events
based
upon
that
you
can
also
create
an
XML
and
do
that
and
then
you
can
actually
define
the
path
itself
and
so
we'll
get
to
some
of
those
other
things.
A
A
So
just
like
we
did
before
this
looks
fairly
similar
to
the
output
of
get
event
log,
but
you
know
it's
slightly
different
because
then
groups,
all
the
events
by
their
provider
name,
so
you
can
kind
of
see
hey
I
have
so
many
of
these
events
and
those
events
in
that
regard
and
everyone.
Anybody
stop
me.
You
know
if
I'm,
just
rambling
and
on
a
talk
at
that
point,
so
you
have
any
questions.
Let
me
know.
A
So
we
looked
at
get
event
log
before
those
document
types.
There
are
more
properties
excuse-me
available
to
us
with
get
one
event,
it's
a
more.
It's
a
richer
object
type,
so
it's
actually
called
an
event
record,
and
so
it
actually
has
its
own
parts
and
we'll
get
to
to
XML
pretty
soon,
and
that's
really
one
of
the
powers
of
it.
One
of
the
other
things
a
limitation
of
an
event,
log
forbidden.
A
One
of
the
reasons
why
I
enjoy
get
win
event
is
that
you
can
actually
pass
in
a
credential
object
to
get
one
event
and
go
reference.
Somebody
else's
event,
log
remotely
using
a
particular
credential
or
even
locally
itself,
so
I
run
my
machine
I
run
my
machine
as
my
regular
account
I.
Don't
let
my
regular
County
have
admin
rights
on
my
own
machine,
but
if
I
need
to
reference,
even
my
own
computer
or
another
computers
event,
log
I
can
then
pass
in
an
admin
credential
to
get
one
event
and
then
now
I
can
reference.
A
A
You
talked
before
about
what
event
logs
are
available
to
us.
By
using
what
event
you
actually
have
access
to
all
the
extended
win
of
event
logs
that
are
out
there,
assuming
that
there's
data
in
them-
and
the
other
point
is
that
you
can
save
out
your
system
log,
you
can
say
about
the
the
logs
themselves,
so
here's
an
example
of
actually
I
took
the
event
logs
from
another
machine
from
some
random
client
and
I,
put
them
here
and
then
I
then
did
you'd.
So
then
I
could
then
references
that
person's
event,
log
and
use.
A
At
that
point
we
don't
really
need
to
talk,
or
you
can
go
to
last
session.
Somebody
asked
me
about
scrub
data,
and
so
a
lot
of
things
that
you're
gonna
see
here
is
I,
was
gonna,
generate
an
entire
lab
and
build
some
generic
stuff.
So
this
is
real
data
and
I
created
a
function
called
scrub
data
and
it
just
dumps
out
all
my
stuff.
So
it's
so
I
can
present
it,
and
so
that's
a
dynamically.
So
yeah
question
there
was
a
program,
a
program
event
DWR
exe
mmm-hmm.
What
does
that
did
where's.
A
Event,
you
were,
oh
that's
the
event.
Yours,
oh
sorry,
gotcha
that
that
is
the
that
opens
up
the
dialog
that
opens
this
gotcha.
That's
what
this
is.
Oh
yeah!
Thanks
event,
you
were
going
see.
Sorry,
okay,
so
we
talked
we
I,
don't
not
gonna
repurpose
the
idea
that
all
the
same
PowerShell
functionality
that
you
get
before
when
you're
working
with
get
event
logs,
you
can
sort
piping.
You
can
pass
in
particular
parameters,
but
now
what
else
can
we
do
at
this
point?
A
So
one
of
the
available
parameters
is
hash
table,
so
we
kind
of
talked
about,
but
here's
some
potential
properties
that
you
can
pass
into
a
hash
table
and
get
individually
I
can
get
I
can
pass
in
a
log
name
pad
I.
Can
all
these
particular
variables
into
a
hash
table
so
I
want
the
provider.
Name?
Is
power
Z,
maybe,
and
then
I
want
all
these
two
particular
event
IDs,
so
using
that
same
fashion,
keep
it
as
9,
so
oh
I
also
going
to
a
variable.
So
what
value
is
that?
A
Let's
actually
look
at
what's
inside
that,
so
here's
all
the
event
logs
so
individually,
so
you
can
then
generate
or
get
the
values
from
somewhere
else.
You
can
generate
the
hash
table
and
pull
the
parts
you
need
again
again,
but
the
idea
that
we
can
then
use
that
information
I
dump
it
to
a
variable.
Take
that
variable
pass
it
into
a
select
and
then
I
can
parse
out
the
different
pieces.
I
can
then
throw
it
into
out
great
view
if
nobody's
ever
seen
that
before.
A
So
now,
at
this
point
is
here's
all
the
events
that
are
available
to
me.
If
you're
also
don't
work
with
get
event
you,
so
there
is
a
thing
called
get
event
view
or
out
degree
view
all
right,
I
keep
saying
event
so
out
great
view.
So
now
hey.
This
is
I
only
want
events
with
300
yeah.
These
look
like
the
events
I'm
looking
for
so
then
you
go
to
highlight
them.
A
Okay
and
you
pass
them
through
and
what
got
dumped
out
was
just
those
two
items
so
using
the
power
of
the
shell
allows
them,
there's
a
lot
of
other
Commandments
available
to
you.
So
that's
also
a
gem.
Then
not
people
have
asked
me
about
before
when
I
presented.
This
is
talk
before
it
is
out
grid-view.
So
you
can't
do
some
of
that
kind
of
stuff
and
you
can
run
a
script
or
you
can
build
a
script
that
you
then
give
to
other
people
and
hey
now,
I.
A
A
A
A
A
In
this
fashion,
getting
everything
where
there
is
a
principal
name,
but
give
me
all
the
group
policy
events
where
you
know
those
events
where
there
is
a
principal
name
and
then
figure
out
what
their
ID
instant
description
is.
So,
if
you're
looking
for
an
event
that
sometimes
when
people
search
event
logs,
they
go,
hey
I
want
to
go.
Give
me
all
that
logs,
where
the
message
equals
all
this
other
stuff
and
then
you're
doing
the
whole,
this
regex
and
parsing
to
try
and
figure
out.
A
Well,
if
it's
not
this
and
then
now
I'm
trying
to
combine
because
it's
a
message,
it's
like
five
lines,
long
I
need
something
from
lying.
12
and
I
need
something
to
remind
2
that
becomes
cumbersome
and
effectively.
It's
just
formatting,
because
these
provider
types-
and
so
you
can
kind
of
see
in
here
it
is
variables
that
are
putting
into
the
string.
So
this
is
just
kind
of
a
good
example.
It's
all
online
and
there
are
variables
in
any
line.
C
A
So
here's
a
good
practical
example
of
hey
these
are
a
looking
event.
Login
just
put
two
errors:
well
are
these
real
errors
and
what
are
these
errors
for?
It
looks
like
you
know
when
they,
when
we
did
in
office
2013
to
2019
upgrade.
There
are
a
bunch
of
errors
that
threw
up
in
the
event
log.
So
is
it
a
problem?
Is
it
not
a
problem,
so
I
get
them
all
and.
B
A
Again,
each
item
is
just
the
parameter
at
this
point
and
what's
a
type
error
log,
but
we
also
because
it
is
a
event
record
type.
We
looked
before.
We
have
a
bunch
of
methods
available
to
us.
One
of
those
methods
is
to
XML
now
I
agree.
If
anybody
likes
us
XML,
you
know,
I
can
pick
you
up
vacuum
with
you,
but
you
know
so,
but
it
can
be
valuable
in
some
fashion,
but
see
now.
I
have
this
object.
A
I
got
types
that
I
can
work
with
in
in
this
tree
and
there's
the
binary
parts
I
have
all
the
pieces
I'm
looking
for,
but
now
I
can
then
use
PowerShell
to
then
go
get
me
the
parts
that
I'm
looking
for,
and
so
this
is
gonna
get
a
little
bit
complicated,
but
it
might
be
easy
to
just
walk
through
so
take
all
those
events
pass
them
to
into
the
pipeline
if
you're,
not
Phillip,
you're
unfamiliar
with
powers
of
two.
This
is
a
for.
A
A
So
before
we
had
this
message,
type
that
had
how
bunch
of
stuff
so
hey
I
got
this
product,
and
this
big
old
string,
but
I
didn't
want
all
that
string
and
I.
Wouldn't
do
this.
You
know
hey
formatting
and
pulling
this
part
out
pulling
that
I
didn't
need
to
do
that.
I
could
then
create
an
XML
object
in
the
middle
and
then
pull
out
the
parts
I'm.
Looking
for
and
then
pass
it
on,
so
I
can
then
use
it
later
on,
and
so
that's
what
now
I
now
have
in
that
fashion.
A
So
again,
I
now
have
individual
I
can
then
take
this
CSV
I
can
then
dump
it
to
something
else
or
that
kind
of
stuff.
It
just
goes
down
the
pipe
next
thing:
we're
gonna
look
at
oh
so,
and
you're
working
with
event
logs,
let's
just
open
an
event,
or
there
is
very
few
not
very
few.
There
are
some
people
who
just
look
at
event
logs
like
this
in
this
fashion,
but
there's
this
thing
called
hey
over
here:
it's
called
details
pane.
So
this
is
like
the
friendly
view,
but
there's
a
something
called
an
XML
view.
A
A
A
A
If
I
have
to
do
it
this
way
and
another
way
in
another
way,
but
there's
also
this
thing
way
up
here
is
called
XML,
hey
so
as
I
inject
stuff
into
this
console,
where
the
last
seven
days,
it's
now
generating
an
XML
filter,
that's
exactly
what
this
is
doing,
so
it's
generating
an
XML
filter
for
you,
okay
and
then
it's
filtering
the
event
log
based
upon
that:
okay,
okay,
nothing
returned
back
from
that
event
alone.
That
type
because
I
mean
just
those
items
again.
A
Sorry,
so
at
this
point,
we're
getting
that
kind
of
stuff
and
well
I
can
also
dynamically
edit.
This
is
query
and
I
can
go
copy.
This
code
down,
so
I
can
use
the
GUI
to
build
the
parts
that
I
need
and
then
I
can
go.
Stick
it
into
PowerShell
and
that's
kind
of
what
we're
gonna
do
in
just
a
second,
so
I
created
my
filter
and
I
copied
it
from
the
window,
the
Event
Viewer
itself
and
I,
just
stuck
it
in
here
and
I
created
if
you're
unfamiliar
with
this
as
well.
A
This
is
called
the
ear
string.
You
can
create
a
string
that
is
multiple
lines,
long,
okay
and
it.
The
only
requirement
is
that
it
has
to
the
last
line
of
the
first
part
has
to
start
with
a
quote
or
a
double
quote:
single
quote
or
double
quote,
and
then
the
bear.
This
has
to
be
on
the
very
left
side.
So
I
put
all
this
here.
It's
still
the
ear
string.
It
has
to
be
the
very
first
line,
so
it
has
to
end
there.
You
can
do
multiple
lines
and
all
that
kind
stuff.
A
A
Okay,
so
use
that
kind
of
thing
give
me
everything
in
the
last
seven
days
based
upon
event
log
and
so
that
so
yeah
that's
kind
of
nice,
because
I
use
this
GUI
to
give
me
something,
and
then
what's
the
point
of
that,
but
this
is
PowerShell,
it's
just
a
string.
I
want
to
then
well.
This
is
a
little
bit
further
on
you.
Can
we
also
use
XPath?
A
So
when
you,
when
you're
inside
of
here
there
is
this
thing
it's
called
XPath.
So
XPath
is
a
searching
mechanism
for
searching
XML
documents
or
searching
XML.
At
that
point,
you
can
pass
in
the
entire
XML
itself,
so
clear
your
list.
What
application
I
mean,
what
log
here's
the
log
and
then
you're
searching
in
the
path
of
that
log,
so
you
could
search
multiple
event
logs
all
at
the
same
time
and
you
can
get
back
all
the
same
time.
A
Here's
SAR,
basically
everything
give
me
all
the
search,
the
entire
event,
which
isn't
just
an
XML
document,
go
into
the
system
tree
then
give
me
where
there
is
a
flag
called
level
equals
to
event
ID
to
or
that,
so
you
can
use
again
keeps
growing
to
farm
this
mouse
so
that
same
kind
of
thing
and
we're
building
at
that
point.
But
I
kind
of
like
this
in
that
fashion,
because
it's
just
XPath
I,
can
then
build
this
tree.
A
C
A
A
Yeah
yeah,
you
can
pass
in
just
the
path.
So
excuse
me:
yes,
you're,
correct,
but
effectively
we're
dealing
with
strings
here.
We
know
to
inject
variables
into
strings.
We
know
how
to
add
parts
so
that
we
can
part
so
I
can
then
from
an
external
source
external
to
the
actual
filter
itself.
Hey
I'm
gonna
create
a
variable.
Here's
the
variable
I
have
and
I
can
build
the
build
that
on
the
fly.
A
So
I
do
this.
Quite
often
in
my
environment
is
I'll,
have
a
generic
filter
and
then
I
will
then
you
individually
select
off
different
things.
I'll
have
like
and
like
one-liner
scripts
and
go
give
me
all
the
events
for
I
mean
the
events
for
this,
but
I
I
have
a
filter.
They'll,
give
me
the
events,
but
then
events
for
whom
or
where
I
don't
really
know
so
I,
pass
it
a
couple
variables
and
then
pass
it
in
the
computers
I
want
to,
and
then
it'll
go.
A
So
that's
kind
of
what
we're
doing
here
so
I
can
dynamically.
These
are
kind
of
examples
of
it.
You
can
your
system
itself
can
be
a
single
name.
You
can
actually
parse
a
list
itself,
so
one
of
the
things
I
have
in
like
my
profile
is,
you
know
again,
zenab
servers
so
when
I
launch
it
gives
me
a
list
of
all
of
the
setup
servers
in
my
environment.
So
if
somebody
else
adds
a
couple
in
my
environment,
I
don't
really
care,
it's
gonna
be
refreshed.
So
then
I
can
filter
based
upon
that
and
I
know.
A
I
had
the
current
list,
as
of
when
I
launched
our
shell
but
okay.
So
we
call
this
pre
stage
work.
So
this
is
how
we
create
kind
of
later
on
a
minute,
we're
gonna,
so
interactive
errors
on
machine.
But
the
out
point
is
that
I
go
get
my
list
of
systems.
Okay,
I
then
go
get
the
event
log
for
that
system
based
upon
the
filter
that
I
defined
before
so
I
want.
A
A
A
So
there
is,
there
is
the
the
message
from
it:
okay
windows
cannot
load
the
registry
for
particular
user
and
here's
the
path
of
that
user
itself,
but
again
we're
so
in
this
example.
That's
why
that's
why
I'm
doing
this?
So
the
point
being
is
that
who's
having
this
problem
and
so
because
I
did
it
across
all
of
my
servers.
You
came
up
here.
I
did
across
all
my
service.
A
I
can
then
say
come
here
and
say,
show
me
all
the
everywhere,
where
there's
an
event
across
all
my
hundred
servers,
so
I
said:
oh
I
got
someone
54
56
57
58.
Well,
this
looks
like
it's
a
systemic
problem
across
the
environment,
and
so
in
that
fashion,
I've
done
it
I
think
this
is
neat
or
maybe
there's
another
one
later
on.
Where
hey
somebody
says:
hey
we're
getting
this
app
crash
excels
crashing
every
day
like
well,
there's
a
problem
with
Excel.
You
push
some
a
patch
like
okay.
Well,
let's
go
find
out.
A
Well,
it's
happening
across
my
environment.
What
does
it
happen?
Well
then,
I
do
the
same
kind
of
search
here
we
go
and
then
we're
gonna
we're
out
a
format.
Well,
this
says
it's
been
happening
since
November,
it's
not
a
patch
that
you
push
the
last
week,
because
this
exact
same
error
has
been
happening
weekly
across
the
environment,
so
not
me
or
in
something
else,
cuz,
that's!
Typically.
What
everybody
hears
on
a
daily
basis
is
that
you
broke
it
and
it's
not
your
problem
solved.
Let's,
let's
use
PowerShell,
to
tell
me
that
it's
not
me!
A
B
A
Dealing
with
the
XML
itself,
so
this
is
kind
of
another
example
of
that
same
kind
of
parts
and
because
we're
dealing
with
event
parts
is
that
there
is
a
method
in
which
to
actually
pull
out
this
hash
table.
So
there
is
here's
my
hash
table
of
individual
parts.
So
if
you
needed
to
get
the
event
type
data
out
of
the
event
wall,
okay,
you
need
to
do
some
really
clean
and
you
know
effective.
You
know
XML
parsing
and.
B
A
Likes
that
and
so,
but
do
it
you
do
it
once
and
that's
really
what
we're
doing
so
give
me
the
event,
event
ID
and
the
data
the
entry
in
that
table
that
in
that
table
and
then
just
wear.
That
type
is
so
now
using
that
same
filter.
I
now
can
who
is
the
user,
the
login
process,
when
that
happened?
It's
not
example
at
that
point,
but
this
is
how
you
would
then
parse
the
event.
Type
data
event
data
inside
those
those
XML.
A
A
A
Can't
remember
right
now
why
I
added
the
property
for
I
created
the
instance
I.
Actually,
at
this
point,
I
created
the
types
so
now
this
is
a
list
item
of
it
so
out
a
great
view.
So
here's
that
exact
same
thing
and
just
turned
up
on
inside
so
it's
kind
of
like
transpose
in
Excel,
so
it
was
a
hash
table.
This
way,
I
then
put
it
that
way.
So
that's
what
this
part
is
so
now
I
can.
B
A
C
A
A
C
A
A
A
A
A
So,
in
that
same
fashion,
at
this
point,
you
can
define
an
external
app
server
itself
using
live
data.
Here's
the
example
of
errors.
So
in
our
ERP
application,
hey
something's
happening
you
push
the
patch
to
excel
and
now
Excel
is
creating
crashing
our
gear
p.m.
it
is
yeah,
there's
7,000
times,
oh
excuse
about
the
cursor
but
yeah.
Well,
what's
it
look
like?
Oh?
Yes,
he
excels
crashing
Oh.
A
What
am
I
gonna
do
with
this
all
right.
So
well,
it's
just
the
bet
errors
until
well,
where
the
message
doesn't
have
Excel
then
well,
there's
all
the
things
crashing,
yeah
other
things
are
crashing
on
the
server,
and
so
maybe
not
just
Excel
all
right.
Well,
how
many,
where
it
is
Excel?
Oh
well
of
that
7000,
it's
284!
Oh,
that's,
pretty
high
percentage
of
what
it
is
so
kinda
in
this
fashion
very
quickly
and
very
effectively,
I
can
then
hey.
How
many
are
is
it
happening?
Is
it
happening?
A
I
could
use
the
same
magic
and
I've
done
it
many
times.
Is
that
hey
it's
happening?
Well
then?
Well,
but
let
me
build
this
quick
little
filter.
Let
me
apply
it
to
all
these
computers
and
then
it
comes
back
and
all
sudden.
Well,
it's
only
happening
on
the
a1
server.
Well,
it's
only
happening
on
the
17th
server.
Now
we
need
to
refigure
out
what's
wrong
with
that
one,
as
opposed
to
it's
across
the
board,
all
right.
So
now,
let's
do
this.
So
what
are
we
doing?
A
Event
logs,
where
the
message
is
like
itself,
sort
by
time,
descending
and
I'm
gonna
select
just
the
time
machine
and
what
machine
it
happened
on
and
only
give
me
the
last
20
just
so
I
don't
get
everything
well.
This
tells
me
that
the
last
time
it
happened
was
only
happening
on
56,
and
here
it
is
the
last
20,
let's
just
drop
off
the
last
plane,
but
holy
crap.
A
It's
happening
all
over
the
place
like
all
right,
so
that
this
is
this
is
potentially
something
to
look
at
because
it's
happening,
but
also
kind
of
see
that
it's
been
happening
forever
in
a
month.
Oh,
that's
why
I
said
descending
cuz,
it's
been
happening
for
you
know
forever
in
a
month.
So
it's
not
me.
So
we
need
to
go
look
at
something
else
or
tell
me
more
about
what's
crashing
and
then
we
can
investigate
that.
Not
just
saying
hey,
your
patch
broke
my
machine.
A
So
that's
why
the
last
20
just
give
you
know
sort
of
descending
but
very,
very
fat
very
quickly
and
very
effectively.
We
can
then
use
PowerShell,
so
you
do
this
at
scale
so
searching
like
a
boss
when
you're
dealing
with
the
system
and
logon
events.
So
we
kind
of
talked
about
at
that
point.
One
of
the
things
that
you
need
from
a
logon
event.
So.
A
So,
if
we're
looking
at
that
point
all
right,
what
is
available
to
me,
so
here's
the
new
ID
of
this
here's,
the
SID
of
the
user,
who
actually
did
a
logon
okay.
So
there's
my
7001,
the
logon
event
and
I
think
there's
a
log
off
event
and
we'll
give
that
a
second.
So
here's
my
win,
logon
and
then
there's
a
log
off
later.
A
So,
but
in
this
fashion,
I
need
to
build
my
XPath
using
the
user
SID,
so
I
just
use
some
other
magic
later
on.
This
is
PowerShell
get
80
user
where
the
identity
is
my
Sam
accompany,
go.
Give
me
the
SID
property
all
right.
Let's
take
that
variable.
Stick
that
back
into
my
XPath
and
now
I
have
a
way
in
which
I
can
pay
across.
You
know:
server
51
360
append
that
number.
A
A
What's
the
first
session
of
the
day,
so
you
guys
get,
you
know,
I
call
other
presentations
all
right
anyway.
You
can
kind
of
see
at
this
point
really
what's
happening
here
so
that
whole
idea,
hey
I,
can
then
take
my
data
sort
by
that
time.
Give
me
the
last
give
me
the
last
30
of
where
somebody
logged
in
and
make
it
at
that
point.
So
this
is
just
login
information.
A
A
A
Here
no
worries
so
I
built
the
the
XPath
for
each
for
each
server
build
the
XPath
based
upon
the
sin
that
I'm
passing
in
okay,
so
I'm
gonna.
You
know
what
user
ID
I
want
to
use
so
that
I
can
pass
it
in
the
sin.
I
define
what
the
computer
name
just
so
I
can
use
it
right.
Verbose,
get
the
event,
log
and
slow
me
down.
If
anybody
needs
to
okay,
because
I
feel
like
I'm
running
fast.
A
The
sin
is
a
property
of
a
user
object
in
AD.
There
are
there's
a
lot
of
ways
you
can,
you
know,
search
for
it
across.
You
know
and
there's
a
lot
of
ways
to
get.
It
piece
gets
it
it's
if
you
need
it
really,
but
then
you
gotta
do
some.
You
know
string
parsing,
but
there's
a
lot
of
ways
to
get
it.
If
you
don't
have
the
ad
command
that's
available
to
you
on
the
machine
that
you're
working
from
okay.
A
At
this
point,
so
good
event,
computer,
where
the
computer
that
we
passed
in
with
the
eggs
path
only
give
me
the
first
hundred
fifty.
So
it
would
just
sit
there
in
turn
and
turn
so
one
of
the
things
I
don't
need.
You
know
for
that
long.
So,
just
give
me
the
first
150
then
for
each
event,
I'm
gonna
then
create
my
own
object.
Okay,
so
I
create
a
property
just
called
logon
walled-off.
A
But
now,
if
the
ID
of
the
event
that
I'm
passing
in
is
seven
thousand
one
well,
that's
a
login
event,
and
so
I
tagged
it
with
the
time
created
and
if
it's
a
log
off
I
tackle
with
time,
create
and
then
I
create
this
object,
that
is
my
username
computer
name,
the
time
itself
and
then,
whichever
login.
So
what's
the
output?
Look,
like
you
kind
of
see
it
at
this
point.
A
T
object
so
so
T
object
something
to
what
it
worried.
What's
the
word
I'm
using
in
T
object.
Actually,
the
reason
we
why
I
came
out
out
the
out
on
the
screen
is
because
it
sent
it
to
a
variable
and
then
keeps
it
down
the
pipeline.
It
it's
a
team
so
with
two
T
object,
so
you
do
but
T
object.
You
can
do
multiple
types
I
want
to
send
it
I
want
to
work
my
input
variables,
but
Gigi
I
can
send
it
out
to
a
file
pass.
A
A
Thinking
through
the
pipeline
yeah,
so
the
pipeline's
one
it's
it's
a
chain
but
I,
wonder
then
divert
it
somewhere
else
and
then
then
put
it
down
the
pipeline
again.
So
it's
that
team,
okay,
so
so
this
is.
This
is
what
our
output
gets
so
effectively.
We
now
have
tell
me
my
username
computer
and
this
person
enough
enough
as
long
as
to
all
these
servers.
This
is
the
time
when
they
either
log
on
to
log
off
and
events
happened,
but
now
here's
his
log
on
log
off
log
off
and
so
effectively.