Automating the world one-liner at a time…
Introduction
Windows Events can be extremely useful for debugging. Administrators often use events to diagnose problems in complex systems. However, Event Viewer is time-consuming and difficult to automate. Luckily, there is a simple way to fully automate the process.
The FilterXml Parameter
The FilterXml parameter allows you use a simple XML document to filter events quickly. You can use the "Create Custom View" and "Filter Current Log" features in Event Viewer to create a valid XML query. The exact query schema can be found here: http://go.microsoft.com/fwlink/?LinkId=143685.
An Example
In Event Viewer, select a log, and then click "Filter Current Log"...
Select the items to filter and then click the XML tab.
Now you can use the XML query in Windows PowerShell.
PS C:\Windows\system32> $filterXml = '<QueryList>
<Query Id="0" Path="Windows PowerShell">
<Select Path="Windows PowerShell">*[System[(Level=4 or Level=0)]]</Select>
</Query>
</QueryList>’
PS C:\Windows\system32> Get-WinEvent –FilterXml $filterXml
TimeCreated ProviderName Id Message
----------- ------------ -- -------
4/14/2011 10:48:01 AM PowerShell 600 Provider "WSMan" is Starte...
4/14/2011 10:48:00 AM PowerShell 600 Provider "Variable" is Sta...
4/14/2011 10:48:00 AM PowerShell 600 Provider "Registry" is Sta...
4/14/2011 10:48:00 AM PowerShell 600 Provider "Function" is Sta...
4/14/2011 10:48:00 AM PowerShell 600 Provider "FileSystem" is S...
4/14/2011 10:48:00 AM PowerShell 600 Provider "Environment" is ...
4/14/2011 10:48:00 AM PowerShell 600 Provider "Alias" is Starte...
4/14/2011 10:47:58 AM PowerShell 400 Engine state is changed fr...
This query retrieves all Windows PowerShell events. You can then pipe the results to downstream cmdlets for further processing.
James WeiSDEMSFT
Cool trick!
But when I try it the Message or Description is missing.... :-(
14/04/2011 03:47:48 Microsoft-Windows-CAPI2 11
Exactly....how do you wrap the message?