Collecting event logs

In the past month I had several times the need for collecting event logs across multiple servers or parsing exported ones from *.evtx files. Get-WinEvent is the perfect Cmdlet for doing this as you can use it for querying both with.

But of course the out-of-the-box experience, usage and output didn’t fit others and my own requirements. Therefore I ended-up in writing a new script.


The script is basically a wrapper for Get-Winevent and optimized for using the lightning fast FilterXPath and FilterHashtable parameters. It also can format the returned entries (more or less most of them). But the most important fact is that the script eliminates the lack of the ability querying multiple computers in parallel. I highly recommend the following posts about this topic:

The script

You can find the latest README and version on GitHub:

How it looks in action

In this example I want to get the last 100 events about unsuccessful ProbeResults of Exchange. You can find all results in the crimson channel of Exchange:

As described in the document Managed Availability we need to check for ResultType 1 or 4. As this information is buried somewhere in the depth of the event

I’m using FilterXPath for this:

$p=.\Collect-Event.ps1 -LogName Microsoft-Exchange-ActiveMonitoring/ProbeResult `
-Verbose -ComputerName $env:COMPUTERNAME `
-FilterXPath 'Event[UserData[EventXML[ResultType="4"] or EventXML[ResultType="1"] ]]'

Note: I added some line-breaks in the code above for readability. This might cause some issue when copying. Therefore here without the back-ticks:

$p=.\Collect-Event.ps1 -LogName Microsoft-Exchange-ActiveMonitoring/ProbeResult -Verbose -ComputerName $env:COMPUTERNAME -FilterXPath 'Event[UserData[EventXML[ResultType="4"] or EventXML[ResultType="1"] ]]'

The script also returns the runtime, when running verbose

Let’s see when running against multiple servers. First without multi-threading

It took almost 15 minutes to collect the events. Now with multi-threading

It took only 3 minutes and 18 seconds this time!

If you have exported logs in *.evtx format, you can also use the script for parsing them. I’ve previously exported everything into the file C:\temp\Exported_ProbeResult.evtx for this example


FilterXPath is very complex and frustration can be huge, when you don’t get the result as expected, but it’s very powerful!

FilterHashtable is easier to handle and most likely the best starting point. I want to highlight that Data accepts multiple values, but it’s case-sensitive and you cannot use asterisk (*) for shortening the value/performing a like operation. It’s also only usable when the XML of the event has node with only </Data> in and don’t have any attributes. Here an example:


I hope the script helps you collecting your logs. Feedback is always welcome!

1 thought on “Collecting event logs

  1. Pingback: Decommisioning flaw in Exchange | The clueless guy

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s