Powershell and the Applications and Services Logs

I would like to show how-to work with events under Applications and Services Logs using Powershell. For this, my examples use IIS Logging and tracing events. You can find out more in this article: http://blogs.iis.net/webtopics/archive/2010/03/19/iis-7-5-how-to-enable-iis-configuration-auditing.aspx

Sometimes I have to work with event logs under the Applications and Services Logs folder, which stores logfiles grouped by particular component of the system. By default it contains 4 categories with 4 logs:

  • Administrative
  • Operational
  • Analytic
  • Debug

The latter 2 are hidden by default and you have to click on View -> Show Analytic and Debug Logs in the mmc console to make them visible.

View hidden apps and services eventlogs
View hidden apps and services eventlogs

You can enable these type of logging, then set properties and query events from the MMC, but sometimes it is required to do it using powershell.

To get most of the commandlets which can be used with events and related stuff, I typed the following command:

Get-Command *-*event*

Powershell commandlets working with events
Powershell commandlets working with events

All commandlets ending with EventLog as a noun, can only be used on classic logs. (application, security, system)

Query the events

To query the events first we need the name of the event container. This is easy with the well-known application, system and security logs, but not as obvious with the applications and services logs. To retrieve the name, open the properties panel of the log and search for full name.

Log properties
Log properties

But using this name with the Get-EventLog commandlet it gives an error, saying this simply does not exist.

Get-eventlog cannot get events from the application and services logs

To retrieve all the logs Get-EventLog can handle, type:

Get-EventLog -list

This is not much, because Get-EventLog can handle only classic event logs. So to query events from the Applications and Services Logs, use Get-WinEvent commandlet. This is designed to be a replacement of Get-Eventlog.

For example to query the IIS Configuration tracing’s Operational log events, type this command:

Get-WinEvent Microsoft-IIS-Configuration/Operational

This by default gives back all event entries from the specified container, so you can apply filtering or anything you like.

Modify a specific applications and services log settings

By default these IIS logs are not enabled, so let’s take a look at how we can enable and configure these with powershell.

To get all the logs on the system use this command:

Get-WinEvent -ListLog *

Add filtering as you wish. For example I checked the full name of the IIS logfile in the properties (see earlier) and queried IIS specific logs:

Get-WinEvent -ListLog Microsoft-IIS*

Format the result in list view to see all properties:

Get-WinEvent -ListLog Microsoft-IIS* | fl *

Query Microsoft-IIS-Configuration logs
Query Microsoft-IIS-Configuration logs

To enable or disable a specific log, use the IsEnabled property, then save the changes.

$IISOpsLog = Get-WinEvent -ListLog Microsoft-IIS-Configuration/Operational
$IISOpsLog.IsEnabled = $true

After this setting, the Microsoft-IIS-Configuration/Operational log will be enabled. Play with the other settings, like changing the LogFilePath, retention and size, just don’t forget to save your changes.

Example, changing the logfile path:

$IISOpsLog.LogFilePath = “D:\Logs\IISOpsLog.evtx”

See the updated settings by using Get-Winevent again. My updated properties:

Updated Microsoft-IIS-Configuration log settings
Updated Microsoft-IIS-Configuration log settings

Under the hood, all these configuration information is stored in registry under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels

Applications and services logs settings in registry
Applications and services logs settings in registry

One thought on “Powershell and the Applications and Services Logs”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s