Get-ForensicEventLog
SYNOPSIS
Gets the events in an event log or in all event logs.
SYNTAX
ByVolume
Get-ForensicEventLog [[-VolumeName] <String>]
ByPath
Get-ForensicEventLog -Path <String>
DESCRIPTION
The Get-ForensicEventLog cmdlet parses the specified event Log file and returns an array of EventRecord objects. If you don't specify an event log, Get-ForensicEventLog parses all event logs in the C:\Windows\system32\winevt\Logs directory.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
EXAMPLES
Example 1
[ADMIN]: PS C:\> Get-ForensicEventLog
This command runs Get-ForensicEventLog to parse all event logs in the C:\windows\system32\winevt\logs\ directory.
Example 2
[ADMIN]: PS C:\> Get-EventLog -Path C:\evidence\Application.evtx
This command uses Get-EventLog to parse an exported Application event log
PARAMETERS
-Path
Specifies the path of the file to be parsed.
Type: String
Parameter Sets: ByPath
Aliases: FullName
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-VolumeName
Specifies the name of the volume or logical partition (Ex. \.\C:, \.\HARDDISKVOLUME1, or C).
Type: String
Parameter Sets: ByVolume
Aliases:
Required: False
Position: 0
Default value: None
Accept pipeline input: False
Accept wildcard characters: False