Recently someone asked me whether can we get the data of a particular service getting stopped and started in a day on a particular server I was not sure what to respond but I did my own research on this to get what exactly can be done to fetch the result like this.
It was understandable that we need to collect the samples from the Event viewer where the events will be generated for the same. So I dug further and furhter and came up with a possible command or a small script that can save your time rather than going through many logs and events in Event Viewer.
Get-EventLog: Check event logs with PowerShell
As the cmdlet suggest we will be using Get-Eventlog to get the list of event logs of a local computer or a remote computer. Below is the syntax of Get-Eventlog.
Get-EventLog
[-LogName] <String>
[-ComputerName <String[]>]
[-Newest <Int32>]
[-After <DateTime>]
[-Before <DateTime>]
[-UserName <String[]>]
[[-InstanceId] <Int64[]>]
[-Index <Int32[]>]
[-EntryType <String[]>]
[-Source <String[]>]
[-Message <String>]
[-AsBaseObject]
[<CommonParameters>]
#Obtain event logs from the local computer
This example displays a list of available event logs on the local computer. The Log column names are used in conjunction with the LogName parameter to specify which log is searched for event.
Get-EventLog -List
Max(K) Retain OverflowAction Entries Log
------ ------ -------------- ------- ---
15,168 0 OverwriteAsNeeded 20,792 Application
15,168 0 OverwriteAsNeeded 12,559 System
15,360 0 OverwriteAsNeeded 11,173 Windows PowerShell
#Get a list of events that occurred on a specific date and time
This example retrieves Error events for a given date and time range from the System event log. The Before and After parameters specify the date and time range but are not included in the output.
$Begin = Get-Date -Date '1/17/2019 08:00:00'
$End = Get-Date -Date '1/17/2019 17:00:00'
Get-EventLog -LogName System -EntryType Error -After $Begin -Before $End
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
13821 Jan 17 13:40 Error DCOM 10016 The description for Event ID...
13820 Jan 17 13:11 Error DCOM 10016 The description for Event ID...
12372 Jan 17 10:08 Error DCOM 10016 The description for Event ID...
12371 Jan 17 09:04 Error DCOM 10016 The description for Event ID...
#Obtain events and group them according to a property
This example retrieves Error events for a given date and time range from the System event log. The Before and After parameters specify the date and time range but are not included in the output.
Get-EventLog -LogName System -UserName NT* | Group-Object -Property UserName -NoElement |
Select-Object -Property Count, Name
Count Name
----- ----
6031 NT AUTHORITY\SYSTEM
42 NT AUTHORITY\LOCAL SERVICE
4 NT AUTHORITY\NETWORK SERVICE
#Gather information from multiple computer
This command retrieves events from three computers: Server01, Server02, and Server03.
Get-EventLog -LogName System -ComputerName Server01, Server02, Server03
Note: There are other example as well that you ca explore from the below link. The example used by me is being used in my script.
Click here to learn more.
Are you tired of searching for and hiring copywriters who charge exorbitant fees? If you answered yes, then copywriting software might be a good fit for you! The importance of content in any business cannot be overstated. Why not you, if smart marketers are already using AI tools to generate profitable results?
CopyBlocks AI allows you to create highly engaging marketing copy and sell it to your clients for a large profit! CopyBlocks AI acts as a professional copywriter for you and your clients without you having to write a single word. Excited? Get Started With Copy Blocks Right Now and Get a 30-Day Money-Back Guarantee!
PowerShell Script to count the events (Stop/Start)
#Without Specific date and time (Local computer)
The PowerShell script will be the mixture of the above example. The script will fetch the start and stop event of the service Event viewer till the event logs are present in the system i.e. if your computer holds the event logs from 2 years back it will count how many times the service was started and stopped in 2 years of the local sytem.
Get-EventLog -LogName system -Source Eventlog | Where-Object {($_.Message -like "*stopped*") -or ($_.Message -like "*started*")} |group-Object -Property Eventlog,Message -NoElement |Select-Object -Property Count, Name
Count Name
----- ----
33 The Event log service was started.
15 The Event log service was stopped.
Read the basics of PowerShell from here
Here after -LogName you need to mention where the event generation takes place either in system or application logs. In -Source you need to mention the service for whom you want to try this script for.
#With Specific date and time (Local computer)
Everything is same as above but with specific date and time.
$Begin = Get-Date '01/03/2022 12:30:00'
$End = Get-Date '15/03/2022 13:00:00'
Get-EventLog -LogName system -Source Eventlog -After $begin -Before $End | Where-Object {($_.Message -like "*stopped*") -or ($_.Message -like "*started*")} |group-Object -Property System,Eventlog,Message -NoElement |Select-Object -Property Count, Name
Count Name
----- ----
2 The Event log service was started.
1 The Event log service was stopped.
#With Specific date and time (Remote computer)
Everything is same as above but with specific date and time and we are targeting a remote server.
$Begin = Get-Date '01/03/2022 12:30:00'
$End = Get-Date '15/03/2022 13:00:00'
Get-EventLog -LogName system -Source Eventlog -ComputerName Server1, Server2 -After $begin -Before $End | Where-Object {($_.Message -like "*stopped*") -or ($_.Message -like "*started*")} |group-Object -Property System,Eventlog,Message -NoElement |Select-Object -Property Count, Name
Conclusion
I hope you have liked the post Get-Eventlog: PowerShell way to query event logs and will implement this whenever it is required. Things you should always remember is to try with on your local system first so that it will be easy for you to make changes. Let me know if you want a blog post on some other script that might amaze you.
We are working continuously to provide you with the better and the best scripts daily. We will publish weekly hence don’t forget to subscribe to our newsletter.