< Back
Get-ForensicEventLog
Post
NAME Get-ForensicEventLog
SYNOPSIS
Gets the events in an event log or in all event logs.
SYNTAX
Get-ForensicEventLog [[-VolumeName] <String>] [<CommonParameters>]
Get-ForensicEventLog -Path <String> [<CommonParameters>]
DESCRIPTION
The Get-ForensicEventLog cmdlet parses the specified event Log file and returns an array of EventRecord objects.
If you don't specify an event log, Get-ForensicEventLog parses all event logs in the
C:\\Windows\\system32\\winevt\\Logs directory.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-VolumeName [<String>]
Specifies the name of the volume or logical partition (Ex. \\\\.\\C:, \\\\.\\HARDDISKVOLUME1, or C).
Required? false
Position? 0
Default value \\\\.\\C:
Accept pipeline input? false
Accept wildcard characters? false
-Path <String>
Specifies the path of the file to be parsed.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
PowerForensics.EventLog.EventRecord
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-ForensicEventLog
This command runs Get-ForensicEventLog to parse all event logs in the C:\\windows\\system32\\winevt\\logs\\ directory.
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>Get-EventLog -Path C:\\evidence\\Application.evtx
This command uses Get-EventLog to parse an exported Application event log
RELATED LINKS
SYNOPSIS
Gets the events in an event log or in all event logs.
SYNTAX
Get-ForensicEventLog [[-VolumeName] <String>] [<CommonParameters>]
Get-ForensicEventLog -Path <String> [<CommonParameters>]
DESCRIPTION
The Get-ForensicEventLog cmdlet parses the specified event Log file and returns an array of EventRecord objects.
If you don't specify an event log, Get-ForensicEventLog parses all event logs in the
C:\\Windows\\system32\\winevt\\Logs directory.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-VolumeName [<String>]
Specifies the name of the volume or logical partition (Ex. \\\\.\\C:, \\\\.\\HARDDISKVOLUME1, or C).
Required? false
Position? 0
Default value \\\\.\\C:
Accept pipeline input? false
Accept wildcard characters? false
-Path <String>
Specifies the path of the file to be parsed.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
PowerForensics.EventLog.EventRecord
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-ForensicEventLog
This command runs Get-ForensicEventLog to parse all event logs in the C:\\windows\\system32\\winevt\\logs\\ directory.
-------------------------- EXAMPLE 2 --------------------------
[ADMIN]: PS C:\\>Get-EventLog -Path C:\\evidence\\Application.evtx
This command uses Get-EventLog to parse an exported Application event log
RELATED LINKS