I would like to show how-to work with events under Applications and Services Logs using Powershell. For this, my examples use IIS Logging and tracing events. You can find out more in this article: http://blogs.iis.net/webtopics/archive/2010/03/19/iis-7-5-how-to-enable-iis-configuration-auditing.aspx
Sometimes I have to work with event logs under the Applications and Services Logs folder, which stores logfiles grouped by particular component of the system. By default it contains 4 categories with 4 logs:
The latter 2 are hidden by default and you have to click on View -> Show Analytic and Debug Logs in the mmc console to make them visible.
You can enable these type of logging, then set properties and query events from the MMC, but sometimes it is required to do it using powershell.
To get most of the commandlets which can be used with events and related stuff, I typed the following command:
All commandlets ending with EventLog as a noun, can only be used on classic logs. (application, security, system)
Query the events
To query the events first we need the name of the event container. This is easy with the well-known application, system and security logs, but not as obvious with the applications and services logs. To retrieve the name, open the properties panel of the log and search for full name.
But using this name with the Get-EventLog commandlet it gives an error, saying this simply does not exist.
To retrieve all the logs Get-EventLog can handle, type:
This is not much, because Get-EventLog can handle only classic event logs. So to query events from the Applications and Services Logs, use Get-WinEvent commandlet. This is designed to be a replacement of Get-Eventlog.
For example to query the IIS Configuration tracing’s Operational log events, type this command:
This by default gives back all event entries from the specified container, so you can apply filtering or anything you like.
Modify a specific applications and services log settings
By default these IIS logs are not enabled, so let’s take a look at how we can enable and configure these with powershell.
To get all the logs on the system use this command:
Get-WinEvent -ListLog *
Add filtering as you wish. For example I checked the full name of the IIS logfile in the properties (see earlier) and queried IIS specific logs:
Get-WinEvent -ListLog Microsoft-IIS*
Format the result in list view to see all properties:
Get-WinEvent -ListLog Microsoft-IIS* | fl *
To enable or disable a specific log, use the IsEnabled property, then save the changes.
$IISOpsLog = Get-WinEvent -ListLog Microsoft-IIS-Configuration/Operational
$IISOpsLog.IsEnabled = $true
After this setting, the Microsoft-IIS-Configuration/Operational log will be enabled. Play with the other settings, like changing the LogFilePath, retention and size, just don’t forget to save your changes.
Example, changing the logfile path:
$IISOpsLog.LogFilePath = “D:\Logs\IISOpsLog.evtx”
See the updated settings by using Get-Winevent again. My updated properties:
Under the hood, all these configuration information is stored in registry under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels