Forensic Event Log Analysis (Part 2)

by Jul 14, 2021

In the previous tip we looked at Get-EventLog to do a forensic analysis and find search-related errors in the Application log. Get-EventLog is simple to use yet it is slow and deprecated. While it is perfectly OK to use Get-EventLog on Windows PowerShell, you might want to switch to Get-WinEvent instead. It’s faster and runs on PowerShell 7, too.

Let’s quickly translate Get-EventLog to Get-WinEvent for the forensic analysis covered in our previous tip. The code below finds all errors in the Application event log related to the “Search” source (there may be none on your system):

# old
Get-EventLog -LogName Application -Source *search* -EntryType error -Newest 10 | Select-Object TimeGenerated, Message

# new
Get-WinEvent -FilterHashtable @{
    LogName = 'Application'
    ProviderName = '*search*'
    Level = 1,2
} -ErrorAction Ignore | Select-Object TimeCreated, Message

To group the events per day, use Group-Object and the date as grouping criteria:

# old
Get-EventLog -LogName Application -Source *search* -EntryType error | Group-Object { Get-Date $_.timegenerated -format yyyy-MM-dd } -NoElement


# new
Get-WinEvent -FilterHashtable @{
    LogName = 'Application'
    ProviderName = '*search*'
    Level = 1,2
} -ErrorAction Ignore | Group-Object { Get-Date $_.TimeCreated -format yyyy-MM-dd } -NoElement 

Again, you may not have any search-related error entries in your log, but when you adjust the criteria and search for different event log entries you’ll quickly realize how much faster Get-WinEvent is. In above example, Get-WinEvent was approximately 10 times faster than Get-EventLog.


Twitter This Tip! ReTweet this Tip!