I have been looking all over the place to just figure out what this "Level" means running Get-WinEvent.
For example,
Get-WinEvent –FilterHashtable @{logname=’application’; level=2; starttime=$time; id=20}
What does level=2 represent here?
The reason that I am asking is I am trying to validate the severity of each log and does that level=2 represent anything related to severity.
On
Let's try and find out:
#Get sample object
$t = Get-WinEvent -MaxEvents 1 -FilterHashtable @{ Logname='application'; level=2 }
#Explore properties and type
$t.GetType().Fullname
System.Diagnostics.Eventing.Reader.EventLogRecord
A quick msdn-search for EventLogRecord points us to the EventLogRecord.Level Property
Gets the level of the event. The level signifies the severity of the event. For the name of the level, get the value of the LevelDisplayName property
#Check out Level vs LevelDisplayName
$t | Format-Table -Property Level, LevelDisplayName -AutoSize
Level LevelDisplayName
----- ----------------
2 Error
A quick search in my log to list some level-values:
Get-WinEvent @{ logname='application' } | Select-Object Level, LevelDisplayName -Unique | Sort-Object Level
Level LevelDisplayName
----- ----------------
0 Information
2 Error
3 Warning
4 Information
It also says on the Level-property page that it uses the StandardEventLevel enum, so lets list it's values:
[enum]::GetValues([System.Diagnostics.Eventing.Reader.StandardEventLevel]) | Select-Object {$_}, {$_.value__ }
$_ $_.value__
-- -----------
LogAlways 0
Critical 1
Error 2
Warning 3
Informational 4
Verbose 5
See this link for more info. MSDN
Effectively you're looking for a winmeta.xml file, but it'll have these for the base values :