Use Custom Views from Windows Event Viewer in PowerShell

Use Custom Views from Windows Event Viewer in PowerShell

  • Comments 5
  • Likes

Summary: Learn how to use Event Viewer custom views in Windows PowerShell to parse event logs quickly.

 

Hey, Scripting Guy! QuestionHey, Scripting Guy! I love Windows 7. It absolutely rocks! One of the things I love about Windows 7, in addition to Windows PowerShell, is the new Event Viewer. I have created a custom view in my Event Viewer. I exported that custom view, and when I try to use it in the Get-WinEvent cmdlet, it fails. Can you help me? I would love to be able to use Windows PowerShell to parse my custom view of the event logs. I know you can do this because you are the greatest!

—LD

 

Hey, Scripting Guy! AnswerHello LD,

Microsoft Scripting Guy Ed Wilson here. I agree with you, at least on two counts. I also love Windows PowerShell 7 and the new Event Viewer. The Windows PowerShell Get-WinEvent cmdlet is also very powerful, and provides lots of opportunities for experimentation. I have written many articles about using the Get-WinEvent cmdlet on the Hey, Scripting Guy! Blog.

So, let’s see what exactly you are talking about when it comes to exporting a custom view from the Event Viewer application. As shown in the following figure, when I open the Event Viewer, the top portion in the upper left section of the screen contains Custom Views.

Image of Custom Views in Event Viewer

To create a custom view, I select Create Custom View from the Action pane and the Create Custom View interface is displayed. This dialog box is shown in the following figure.

Image of Create Custom View dialog box

After I save the custom view, I can export it to XML by selecting the custom view, and clicking Export Custom View in the Action menu. This technique works great for exporting custom event log views either for backup purposes, or to use on other computers via the Event Viewer application. Unfortunately, it does not work when I attempt to import it via the Get-WinEvent cmdlet:

Get-WinEvent -FilterXml ([xml](Get-Content C:\fso\exportedCustomView.xml))

The command and associated error are shown in the following figure.

Image of command and associated error

The reason the error is generated is because Export Custom View includes additional information required by the Event Viewer to create and host the custom event view. What the Get-WinEvent cmdlet requires is the <QueryList> information.

To find the <QueryList> information, I click Filter Current Custom View in the Action menu. When the Filter Current Custom View dialog box appears, I click the XML tab. This displays the <QueryList> information, as shown in the following figure.

Image of <QueryList> information

There is no copy button, even if you select the Edit query manually check box. But I can easily highlight everything with my mouse, and press Ctrl+C to copy the selection to the Clipboard. After I have copied the information to the Clipboard, I create a new text file, paste the contents, and save it with a .xml file extension. The following figure shows the contents of the custom event log view.

Image of contents of custom event log view

After I have only the <QueryList> information in a text file, I can now use the exact same command I used previously, but this time it works. The command I use is shown here:

Get-WinEvent -FilterXml ([xml](Get-Content C:\fso\Past24CustomView.xml))

The command and associated output are shown in the following figure.

Image of command and associated output

Here are the steps I use:

  1. Create a custom view in the Event Viewer utility.
  2. Display the <QueryList> information from the custom view by clicking Filter Custom View from in the Action menu.
  3. Click the XML tab.
  4. Highlight the <QueryList> information with your mouse, and press Ctrl+C to copy the <QueryList> data to the Clipboard.
  5. Open Notepad and paste the information from the Clipboard into the new text file.
  6. Save the file with a .xml file extension.
  7. Use the Get-Content cmdlet to read the contents of the XML file.
  8. Cast the returned data to {XML] type and pass it to the FilterXML parameter of the Get-WinEvent cmdlet.

That is it. It seems like a lot of steps, but they are pretty logical. In addition, this provides an excellent way to process data quickly from multiple event logs.

LD, that is all there is to using a custom view from Event Viewer in a Windows PowerShell cmdlet. Join me tomorrow for more exciting Windows PowerShell tricks.

 

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy

 

 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hi Ed,

    this is good ... but you can do even better without the copy & paste approach :-)

    You are right: The export to Xml does us no favour in encapsuling the XML element "QueryList" in some bigger Xml context. In fact it is just a node in the following hierarchy

    "/ViewerConfig/QueryConfig/QueryNode/QueryList"

    We can address it directly by

    Get-WinEvent -FilterXML ([xml](Get-Content C:\fso\exportedCustomView.xml)).ViewerConfig.QueryConfig.QueryNode.QueryList.OuterXml

    or by

    Get-WinEvent -FilterXml ([xml](Get-Content C:\fso\exportedCustomView.xml)).SelectSingleNode("//QueryList").OuterXml

    I'd prefer the latter but if you know the structure, the former is a bit more efficient!

    It's not too difficult to use a little bit of XML functionality, but I know that it is a big hurdle!

    Klaus.

  • @Klaus Schulte this is great! Thank you for sharing ... I did not think about doing this directly. Cool stuff.

  • I accidently made a custom view and now my memory fills with unnecessary log information and makes everything very slow :(

    I just want to delete the custom view. BUT it doesn't work, there is no option to delete a view once created?! This can't be true or a joke.

    Am I totally blind or can someone help me please?

  • Can you create the custom view using powershell?  perhaps create it with powershell using the XML to import.

  • @Derek - Yes

    See: blogs.msdn.com/.../using-get-winevent-filterxml-to-process-windows-events.aspx

    AND

    Post here: social.technet.microsoft.com/.../threads