When you want to read some logfiles from a remote server you can use several ways. One that I like is:

$logs=Get-Eventlog application
$logs[0] | Get-Member

Another nice one is listed here
You would then run the command like this:
.\Get_eventsByWMI.ps1 -computer servername -eventid 6005

You would then see when the computer was started

When you want to see the events that occure the most frequently type

$events = get-eventlog -logname system -newest 1000
$events | group-object -property source -noelement | sort-object -property count -descending

Another very usefull command is to look for account lockout's through the eventlog from your domain controller
GET-EVENTLOG –LOGNAME Security –COMPUTERNAME "domaincontrollername" |Where-Object { ($_.EntryType –eq "FailureAudit") –and ($_.Message –like "*jim snell*") } | Select Message, TimeWritten, EventID | Format-Table -auto

What is also useful is to go through the eventlog with powershell of a print server. Grab the username that has the problem of all error print failures
GET-EVENTLOG –LOGNAME System –COMPUTERNAME servername -Source 'print' | select-string -inputobject {$_.message} -pattern "John Doe"

Or if you want to see all the error event-entries in the application log of today:
get-eventlog application| Where-Object {$_.EntryType -eq "Error"} | Where-Object {($_.TimeWritten).Date -eq (Get-Date).Date}

To play with the date let's say I want to see all the event-entries that occurred on december the fifth, if today is 2-1-2012
get-eventlog application| Where-Object {$_.EntryType -eq "Error"} | Where-Object {($_.TimeWritten).Date -eq ((get-date).date.adddays("-28"))}

If you are using WMI you can also do:
$logs = [System.Diagnostics.EventLog]::GetEventLogs('computername')
$security = $logs | ? {$_.log -like 'Security'} 

Then you could filter to only show the FailureAudit by typing:
$errors= ($security.entries | Where {$_.EntryType -eq 'failureAudit'} )
$errors | Select -first 1 | format-List *

If you don't like powershell Jeff Hicks placed a good post on how to search the logs from the command line using wevtutil
This will grab the application log and take reverse direction (most recent first) showing only 5 events output in text instead of XML
wevtutil qe application /rd:true /c:5 /f:text

See his complete post at Jeff Hicks petri.co.il

When you want to find out when a user has been unlocked look at the domain controller, keep in mind that there is probably more than one domain controller that could have this information:

Get-EventLog security -computername NameOfDomainControllerComputer | Where {($_.EventID -eq '671') -and ($_.Message -like '*Username*') } | Select TimeGenerated

I am using here time generated to find a pattern in when the user call that he or she has been locked out.

Here is another great way to see all events that happened before and after a time

$eventsapplication | where { ($_.EntryType -eq "warning") -or ($_.EventType -eq "FailureAudit") -and ([datetime]$_.TimeWritten -lt "3/22/2012 4:39:27 PM") -and ([datetime]$_.Timewritten -gt "3/22/2012 0:00:00 AM") }

here I have taken all warning and failures from a date starting at midnight that day untill 4:39:27 PM

When you want to look in the eventlog when a workstation (windows 7) is unlocked (and audited) you would search like:

EventID -eq 4801
get-eventlog security | Where {$_.EventID -eq 4801}

On Me

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License