As part of an Active Directory Health Check (think “ADRAP”), I needed to document the top errors and warnings in several event logs, including the System, Application, DNS, Directory Service, FRS, and others. This list also needed to include the source of the errors. Since there were a bunch of domain controllers, I didn’t want to spend all day manually looking through event logs, filtering, etc. PowerShell to the rescue.
Get-EventLog is pretty self explanatory. We tell this command we want to look at the system event log, and we’re only interested in errors. We could look for other event types, too, such as Information, FailureAudit, SuccessAudit, and Warning. Get-EventLog can filter based on dates, usernames, etc.
We then take the output of that, and pipe it to Group-Object (or “Group” for short). We group based on source and eventID. This lumps all of the same events with the same eventID together as one object. This is important, because if there are errors with the same source, but different eventID, we want those listed separately.
Next, we use Sort-Object, or “sort”, to arrange the results into a usable list, with the highest numbers at the top. Since we only need the top 5 in the list for this exercise, Select-Object, or “select”, comes into play. This will return just the number of objects we specify. In this case, that’s 5. Since we pass the -first parameter to this cmdlet, we get the first 5 results that were piped from the previous command. Essentially, the highest 5 objects. And lastly, we display just the count and the name using Format-Table, or “ft”. Since we grouped the source and eventID together, the name will be the name of the source, and the corresponding eventID. The output looks like this:
Count Name ----- ---- 179 Microsoft-Windows-GroupPolicy, 1006 30 Service Control Manager, 7031 19 Microsoft-Windows-Hyper-V-Netvsc, 2 15 Service Control Manager, 7034 10 Microsoft-Windows-WindowsUpdateClient, 20
Exactly what I was after. The top 5 errors in the system event log, sorted by how many times the error appeared in the log, with the source name and eventID, sorted. The one-liner looks like this:
Get-EventLog -LogName system -EntryType error | Group-Object source,eventid | Sort-Object count -desc | Select-Object -first 5 | Format-Table count,name
We could also strip off the Format-Table stuff, and use Export-Csv to dump the results to a csv file.
Get-EventLog -LogName system -EntryType error | Group-Object source,eventid | Sort-Object count -desc | Select-Object -first 5 | Export-Csv c:\SystemErrors.csv -NoTypeInformation
Pretty straightforward, and fairly quick, as long as your event logs aren’t huge. We can even target remote computers by appending the -ComputerName parameter to the Get-EventLog cmdlet. For example:
Get-EventLog -LogName system -EntryType error -ComputerName mycomputer.contoso.local | Group-Object source,eventid | Sort-Object count -desc | Select-Object -first 5 | Export-Csv c:\SystemErrors.csv -NoTypeInformation