Who loves to look at log files and sift through the boring details? Nobody does. But, that’s okay. How many of us have ever had a difficult time tracking down an error? I would imagine that most people have.
One common tool that that gets used is the Event Viewer in Windows. It’s a fabulous tool that you can use to look at the different event logs, filter by a number of properties, and much more.
As great of a tool as it is, however, I always tend to gravitate towards something a little more PowerShell-y. Fortunately for us, there are PowerShell cmdlets that can help us get the information from the Event Log into our PowerShell consoles.
Exploring the Event Log with PowerShell
We can list all the information that’s in the event log in a PowerShell console. This makes it a lot easier to sift through and search for specific logs, events, sources, etc. We can easily narrow it down by several criteria and even export the results!
This is the magic cmdlet for helping us get the information from the event log. It allows us to grab information from an event log on both local and remote computers.
How do you find out what logs are available to be viewed, you ask? How can you filter by source? How can you filter by event type? These are great questions that we can tackle with Get-EventLog.
Here’s a quick list of some of the common parameters and usages of the Get-EventLog cmdlet (see here for more information about this cmdlet):
- List – List all the available event logs
- LogName String – The name of the log file you wish to view
- Before DateTime – Limit searches to before this date
- After DateTime– Limit searches to after this date
- EntryType String or StringArray – Limits searches to a specific type of log entry
- Source String – List events from a specific source
- ComputerName String – List events from a remote computer
- Message String – List events with specific strings inside the log message
Let’s use these parameters and show all the exciting things we can do with Event Logs.
Show all available event logs to view:
Show all events in a specific event log:
Get-EventLog -LogName Application
Show all events in the Application event log that are older than 7 days:
Get-EventLog -LogName Application -Before (Get-Date).AddDays(-7)
Show all events in the Application event log that are newer than 1 day:
Get-EventLog -LogName Application -After (Get-Date).AddDays(-1)
Show all errors in the Application event log:
Get-EventLog -LogName Application -EntryType Error
Show all events in the Application event log that are from a specific source:
Get-EventLog -LogName Application -Source “PDQ Deploy”
Show all events in the Application event log that are from a remote computer:
Get-EventLog -LogName Application -ComputerName SomeComputer
Show all events in the Applications event log that contain specific words in the message:
Get-EventLog -LogName Application -Message “*Could not find*”
There are a lot of options here to help you narrow down your search.
Putting it all together
Now that we know how to access this wonderful log information from PowerShell, we can start to really get fancy. Here are some ideas:
Check the event log for errors an application is having?
Sort through errors an application is having and export to file?
Check the event log on an interval and check for specific (or any) errors and email the results?
You get the idea. This gives us an extra tool in our belt to help make us better administrators.
At some point in the future, maybe we’ll even go into creating your own event logs and then we will be able to combine the yummy goodness of reading logs with creating our own!
Bonus note about Get-WinEvent:
I know some of you are probably familiar with Get-WinEvent and may want to point out that Get-WinEvent is the successor to Get-EventLog.
You’re absolutely right!
That being said, however, I went with Get-EventLog for this blog for several reasons including compatibility with older OSes that some of us may not have been able to migrate off of quite yet.
Perhaps we’ll touch base on Get-WinEvent in a future post.
Until then, happy PowerShelling!