Show frequent warning events

Show all warning events from all event logs on the selected computer, ordered on the most frequent, in the specified time period where there is more than one instance of that specific event.
Arguments:
Minutes Back - the number of minutes back from the current time to search (default is 60)
Log Level - the event log level to search for events (default is Warning)
Excluded log names - an optional regular expression, e.g. "Application", which will exclude events from any event logs where the event log name matches the regular expression.
Event log Warning
Version 1.6.23
Created on 2018-07-06
Modified on 2018-11-21
Created by Guy Leech
Downloads: 194
Popular Tags
citrix vmware parallels ras horizon vdi azure powershell xenapp xendesktop netscaler rds Active Directory security avd disk cvad message disk space App-V windows
The Script Copy Script Copied to clipboard 
#Requires -version 3.0

<#
    Find repeated event log entries in a given time window across all event logs and output the most frequent

    ControlUp SBA

    Guy Leech @guyrleech 2018

    Modification history:

    09/07/18   GL  Only display Level in results if more than one level was requested (e.g. Warning,Error,Critical)

    20/11/18   GL  Give message if no events found
#>

## Arguments
##   0  Minutes back from current time
##   1  Event log level(s)
##   2  Regex of event log names to exclude

[int]$ERROR_INVALID_PARAMETER = 87
[string]$multipleUsers = '<Multiple>' ## this is output when more than one user has generated the same event log id entry
[int]$outputWidth = 200 ## could expose this as a parameter

## see if we have been called via ControlUp or by ourself
if( ! $args.Count -or $args.Count -lt 2 )
{
    Write-Error "Incorrect number of arguments passed to script - was expecting minutes back , log levels and optional regex for excluding event log names"
    exit $ERROR_INVALID_PARAMETER
}

# Altering the size of the PS Buffer
if( $PSWindow = (Get-Host).UI.RawUI )
{
    if( $WideDimensions = $PSWindow.BufferSize ) 
    {
        $WideDimensions.Width = $outputWidth
        $PSWindow.BufferSize = $WideDimensions
    }
}

[int]$minutes = $args[0]
[string]$excludedLognames = $args[2]

[hashtable]$eventLevelConversions = @{
        'LogAlways' = 0 ;
        'Critical' = 1 ;
        'Error' = 2;
        'Warning' = 3 ;
        'Informational' = 4;
        'Verbose' = 5;
}

[string]$logname = '*' ## could expose this as a parameter
[datetime]$end = Get-Date
[datetime]$start = $end.AddMinutes( -$minutes )
[array]$results = @()
[int]$eventlogs = 0
[int[]]$eventLevels = @()

ForEach( $level in ( $args[1] -split ',' ) )
{
    $eventLevels += $eventLevelConversions[ $level ]
}

[hashtable]$events = @{}

Get-WinEvent -ListLog $logname -EA silentlycontinue | Where-Object { $_.RecordCount -gt 0  } |  ForEach-Object `
{ 
    if( [string]::IsNullOrEmpty( $excludedLognames ) -or $_.LogName -notmatch $excludedLogNames )
    {
        Write-Verbose "$($_.LogName) $($_.recordcount) $($_.lastwritetime)"
        [hashtable]$filters = @{'Logname'=$_.LogName;StartTime=$start;EndTime=$end }
        if( $eventLevels.Count )
        {
            $filters.Add( 'Level' , $eventLevels )
        }

        [bool]$first = $true

        Get-WinEvent -FilterHashtable $filters -EA SilentlyContinue | ForEach-Object `
        {
            $event = $_
            [string]$key = "{0}:{1}:{2}" -f $event.id , $event.LogName , $event.ProviderName
            $existing = $events[ $key ]
            if( $existing )
            {
                $existing.Count++
                if( $event.TimeCreated -lt $existing.First )
                {
                    $existing.First = $event.TimeCreated
                }
                if( $event.TimeCreated -gt $existing.Last )
                {
                    $existing.Last = $event.TimeCreated
                }
                ## if different user then change to multiple
                if( $event.UserId ) 
                {
                    try
                    {
                        [string]$thisUser = ([System.Security.Principal.SecurityIdentifier]($event.UserId)).Translate([System.Security.Principal.NTAccount]).Value
                        if( $existing.User )
                        {
                            if( $existing.User -ne $multipleUsers )
                            {
                                if( $existing.user -ne $thisUser )
                                {
                                    $existing.user = $multipleUsers
                                }
                            }
                            ## else already recorded it as a multipl euser event
                        }
                        else
                        {
                            $existing.User = $thisUser
                        }
                    }
                    catch {}
                }
            }
            else
            {
                $events.Add( $key , [pscustomobject]@{ 'Count' = [int]1 ; 'First' = $event.TimeCreated ; 'Last' = $event.TimeCreated ; 'Message' = $event.Message ; 'LogName' = $event.LogName ; 'Id' = $event.id ; 'Level' = $event.LevelDisplayName ;
                    'User' = $( if( $event.Userid ) {([System.Security.Principal.SecurityIdentifier]($event.UserId)).Translate([System.Security.Principal.NTAccount]).Value }); 'Task' = $event.TaskDisplayName } )
            }
            if( $first )
            {
                $eventlogs++
                $first = $false
            }
        }
    }
}

Write-Verbose "Found $($events.Count) $($args[1]) events in $eventlogs event logs on $env:COMPUTERNAME between $(Get-Date $start -Format G) and $(Get-Date $end -Format G)"

[string]$dateFormat = 'T'
if( $start.DayOfYear -ne $end.DayOfYear )
{
    $dateFormat = 'G' ## put date in too since covers more than one day
}

[array]$fields = @( 'Count',@{n='First';e={Get-Date $_.First -Format $dateFormat}},@{n='Last';e={Get-Date $_.Last -Format $dateFormat}},@{n='Log Name';e={($_.LogName -split '/')[0] -replace '^Microsoft-Windows-',''}} )
if( $eventLevels.Count -gt 1 )
{
    $fields += 'Level' ## only put the level in if there is more than one, e.g. error and warning
}
$fields += @( 'Id','User','Message','Task' )

if( $events -and $events.Count )
{
    ## Only show those with at least one repetition
    [array]$repeated = @( $events.GetEnumerator() | Select -ExpandProperty Value | Where-Object { $_.Count -gt 1 }  )
    "Found $($repeated.Count) $($args[1]) repeated events out of $($events.Count) events found in event logs between $(Get-Date $start -Format G) and $(Get-Date $end -Format G)"
    if( $repeated -and $repeated.Count )
    {
        $repeated |Sort Count -Descending | Select $fields | Format-Table -Wrap
    }
}
else
{
    "Found no $($args[1]) events in event logs between $(Get-Date $start -Format G) and $(Get-Date $end -Format G)"
}