This script event-log-manager.ps1 provides the ability manage event logs on machines locally or remotely.

Features:

- Export logs locally or remotely to .csv format on local machine grouped by machine name

- Convert *.evt* files to .csv

- View and manage 'debug and analytic' event logs

- Listen to event logs real-time from local or remote machines displaying color coded messages in console

NOTE: PowerShell scripts require that the execution of scripts be enabled on the machine, current PowerShell session, or by starting PowerShell.exe with '-ExecutionPolicy' switch. To query current execution settings, type 'Get-ExecutionPolicy'. To enable script execution, from admin PowerShell prompt, type 'Set-ExecutionPolicy RemoteSigned -Force' or 'Set-ExecutionPolicy Bypass -Force'. The prior example shows two commonly used policy levels with 'RemoteSigned' being more restrictive than 'Bypass' (additional policy levels available). When finished running script, you can set the policy level back to the prior setting if needed. For additional information type 'help set-executionpolicy -online'.

NOTE: Scripts downloaded from technet may be blocked by default depending on type of download and configuration. If script fails to execute, right click on file and verify that if 'Unblock' exists, it is unchecked.

Help:

PS E:\> help .\event-log-manager.ps1 -full

NAME
    E:\event-log-manager.ps1
   
SYNOPSIS
    powershell script to manage event logs on multiple machines
   
SYNTAX
    E:\github\powershellScripts\PowerShellProject\PowerShellProject\event-log-manager.ps1 [[-clearEventLogs]] [[-clearEventLogsOnGather]] [-days <Int32>] [-debugScript] [-disableDebugLogs] [-displayMergedResults]
    [-enableDebugLogs] [-eventLogLevels <String[]>] [-eventLogIds <Int32[]>] [-eventLogNamePattern <String>] [-eventLogPath <String>] [-eventStartTime <String>] [-eventStopTime <String>] [-eventTracePattern <String>]
    [-eventDetails] [-getUpdate] [-hours <Int32>] [-listen] [-listEventLogs] [-machines <String[]>] [-minutes <Int32>] [-months <Int32>] [-nodynamicpath] [-rds] [-uploadDir <String>] [<CommonParameters>]
   
DESCRIPTION
    Set-ExecutionPolicy Bypass -Force
   
    This script will optionally enable / disable debug and analytic event logs.
    This can be against both local and remote machines.
    It will also take a regex filter pattern for both event log names and traces.
    For each match, all event logs will be exported to csv format.
    Each export will be in its own file named with the event log name.
    It also has ability to 'listen' to new events by continuously polling configured event logs
PARAMETERS
    -clearEventLogs [<SwitchParameter>]
        If specified, will clear all event logs matching 'eventLogNamePattern'
  
    -clearEventLogsOnGather [<SwitchParameter>]
        If specified, will clear all event logs matching 'eventLogNamePattern' after eventlogs have been gathered.
               
    -days <Int32>
        If specified, is the number of days to query from the event logs. The number specified is a positive number
 
    -debugScript [<SwitchParameter>]
  
    -disableDebugLogs [<SwitchParameter>]
        If specified, will disable the 'analytic and debug' event logs matching 'eventLogNamePattern'
  
    -displayMergedResults [<SwitchParameter>]
        If specified, will display merged results in default viewer for .csv files.
  
    -enableDebugLogs [<SwitchParameter>]
        If specified, will enable the 'analytic and debug' event logs matching 'eventLogNamePattern'
        NOTE: at end of troubleshooting, remember to 'disableEventLogs' as there is disk and cpu overhead for debug logs
        WARNING: enabling too many debug eventlogs can make system non responsive and may make machine unbootable!
        Only enable specific debug logs needed and only while troubleshooting.
  
    -eventLogLevels <String[]>
        If specified, a comma separated list of event log levels to query.
        Default is all event levels.
        Options are Critical,Error,Warning,Information,Verbose
  
    -eventLogIds <Int32[]>
        If specified, a comma separated list of event logs id's to query.
        Default is all id's.
 
    -eventLogNamePattern <String>
        If specified, is a string or regex pattern to specify event log names to modify / query.
        If not specified, the default value is for 'Application' and 'System' event logs
        If 'rds $true' and this argument is not specified, the following regex will be used "RemoteApp|RemoteDesktop|Terminal"

    -eventLogPath <String>
        If specified as a directory, will be used as a directory path to search for .evt and .evtx files.
        If specified as a file, will be used as a file path to open .evt or .evtx file.
        This parameter is not compatible with '-machines'

    -eventStartTime <String>
        If specified, is a time and / or date string that can be used as a starting time to query event logs
        If not specified, the default is for today only
 
    -eventStopTime <String>
        If specified, is a time and / or date string that can be used as a stopping time to query event logs
        If not specified, the default is for current time
  
    -eventTracePattern <String>
        If specified, is a string or regex pattern to specify event log traces to query.
        If not specified, all traces matching other criteria are displayed
  
    -eventDetails [<SwitchParameter>]
        If specified, will output event log items including xml data found on 'details' tab.
  
    -getUpdate [<SwitchParameter>]
        If specified, will compare the current script against the location in github and will update if different.
  
    -hours <Int32>
        If specified, is the number of hours to query from the event logs. The number specified is a positive number
  
    -listen [<SwitchParameter>]
        If specified, will listen and display new events from event logs matching specifed pattern with eventlognamepattern
  
    -listEventLogs [<SwitchParameter>]
        If specified, will list all eventlogs matching specified pattern with eventlognamepattern
  
    -machines <String[]>
        If specified, will run script against remote machine(s). List is comma separated.
        If not specified, script will run against local machine
  
    -minutes <Int32>
        If specified, is the number of minutes to query from the event logs. The number specified is a positive number
  
    -months <Int32>
        If specified, is the number of months to query from the event logs. The number specified is a positive number
   
    -nodynamicpath [<SwitchParameter>]
        If specifed, will store files in a non-timestamped folder which is useful if calling from another script.
  
    -rds [<SwitchParameter>]
        If specified, will set the default 'eventLogNamePattern' to "RemoteApp|RemoteDesktop|Terminal" if value not populated
  
    -uploadDir <String>
        The directory where all files will be created.
        The default is .\gather
  
   -------------------------- EXAMPLE 1 --------------------------
   
    PS C:\>.\event-log-manager.ps1 –rds –minutes 10
   
    Example command to query rds event logs for last 10 minutes.
    
    -------------------------- EXAMPLE 2 --------------------------
   
    PS C:\>.\event-log-manager.ps1 –minutes 10 -eventLogNamePattern * –machines rds-gw-1,rds-gw-2
   
    Example command to query all event logs. It will query machines rds-gw-1 and rds-gw-2 for all events in last 10 minutes:
    
    -------------------------- EXAMPLE 3 --------------------------
   
    PS C:\>.\event-log-manager.ps1 –machines rds-gw-1,rds-gw-2
   
    Example command to query rds event logs. It will query machines rds-gw-1 and rds-gw-2 for events for today from Application and System logs (default logs):
    
    -------------------------- EXAMPLE 4 --------------------------
   
    PS C:\>.\event-log-manager.ps1 –enableDebugLogs -eventLogNamePattern dns -rds
   
    Example command to enable ‘debug and analytic’ event logs for 'rds' event logs and 'dns' event logs:
    
    -------------------------- EXAMPLE 5 --------------------------
   
    PS C:\>.\event-log-manager.ps1 –eventLogNamePattern * -eventTracePattern "fail"
   
    Example command to export all event logs entries that have the word 'fail' in the event Message:
    
    -------------------------- EXAMPLE 6 --------------------------
   
    PS C:\>.\event-log-manager.ps1 –eventLogNamePattern * -eventTracePattern "fail" -eventLogLevel Warning
   
    Example command to export all event logs entries that have the word 'fail' in the event Message and log level 'Warning':
    
    -------------------------- EXAMPLE 7 --------------------------
   
    PS C:\>.\event-log-manager.ps1 -listEventLogs –disableDebugLogs
   
    Example command to disable ‘debug and analytic’ event logs:
    
    -------------------------- EXAMPLE 8 --------------------------
   
    PS C:\>.\event-log-manager.ps1 –cleareventlogs -eventLogNamePattern "^system$"
   
    Example command to clear 'System' event log:
    
    -------------------------- EXAMPLE 9 --------------------------
   
    PS C:\>.\event-log-manager.ps1 –eventStarTime "12/15/2015 10:00 am"
   
    Example command to query for all events after specified time:
    
    -------------------------- EXAMPLE 10 --------------------------
   
    PS C:\>.\event-log-manager.ps1 –eventStopTime "12/15/2016 10:00 am"
   
    Example command to query for all events up to specified time:
    
    -------------------------- EXAMPLE 11 --------------------------
   
    PS C:\>.\event-log-manager.ps1 –listEventLogs
   
    Example command to query all event log names:
    
    -------------------------- EXAMPLE 12 --------------------------
   
    PS C:\>.\event-log-manager.ps1 -listen -rds -machines rds-rds-1,rds-rds-2,rds-cb-1
   
    Example command to listen to multiple machines for all eventlogs for Remote Desktop Services:
    
    -------------------------- EXAMPLE 13 --------------------------
   
    PS C:\>.\event-log-manager.ps1 -eventLogPath c:\temp -eventLogNamePattern *
   
    Example command to query path c:\temp for all *.evt* files and convert to csv:
Example console output when listening for events real-time:



 

Example event log save / export output:

 


 

Reference:

- Github script repository for this script