Video Transcript
Hi, this is Jeff Hicks. Today I want to show you some ways to use tools in Windows 7 to look at event logs. The first thing I want to show you is the graphical event log viewer that ships with Windows 7. Now there are a couple of ways you get this, go to Start | Administrative Tools | Event Viewer to launch it. I happen to like being quick and lazy and I open up Start | Run, and type eventvwr, click OK. Up will pop the Event Viewer, you will get the same Event Viewer no matter which choice you make.
The one thing you will notice right away in the new Windows 7 Event Viewer is the Summary of Administrative Events. I can look on my local machine and see what kind of warnings I have had. I have had eleven here in the past seven days. I can see what some of them are, I can double click it brings me then to a summary. These are all the Windows update errors I have had on my system in the past seven days. The event viewer shows me not only the classic event logs such as Application, System, and Security but also all the new event logs that ship from Microsoft for lots of other Windows related applications.
For example if I want to look at errors related to the DHCP client I can look at DHCP Events related to that. I can filter, say all I care about is warnings and errors, I'm not interested any of the events. For pretty much any of these Event Logs, I can come over here to Filter Current Log, I just want the ones in the past 30 days, I want errors and warnings, I do not care about the event source. I have already limited it to the DHCP log and click OK. And I have no errors in that regard. Let me change my filter and let's just do from any time, errors and warnings. There we go. So there are the errors and warning I have in the event log I filtered out all of the other non-errors and warnings.
I can also connect to a remote computer. Come up here. Select Computer. I'll connect to \\server01, click OK. Same thing, I have access to all of the event logs. These are all the logs on \\server01, again I can filter. What is nice about creating a filter, I can save it as a custom view.' For example, I want to see all the SQL events. Now because \\server01 happens to have SQL installed I can actually see all of the errors and warnings related to all the SQL related products on \\server01.
Another way we can look at event logs, is with PowerShell. There are two cmdlets we can use. We can use Get-Eventlog system -newest 10, to say show me on the system event log the newest ten errors. There they are. There is also Get-Winevent system -MaxEvents 10, which will also work with the older logs. The perimeters are set a little bit different. I am just going to return the ten most recent events if you look at Help Get-Eventlog you will see that there are some syntax options that I can use to filter. I want to find Get-Eventlog system -EntryType, error, warning -newest 10, filter interested in the source and the message. I see I have some errors coming from the Time Service, from the volsnap source and DCOM. I can do similar things with the help get-Winevent -examples cmdlet. I can format or look at the information in many different ways because I am dealing with objects.
To get information out of the winevent log requires a little more sophistication.' You have to use some XML formatting or hash tables so I can see down in an example right here. I can either query the Windows PowerShell and I can use either a hash table or I can create an XML filter or if I am proficient in XML and want to use XPath I can use that as well.
With Windows 7 I have a number of ways to mine all sorts of information from one or more remote computers either using the GUI or PowerShell. Thanks very much.
Comments