Who loves to look at log files and sift through the boring details? Nobody does. But, that’s okay. How many of us have ever had a difficult time tracking down an error? I would imagine that most people have.
As great of a tool as it is, however, I always tend to gravitate towards something a little more PowerShell-y. Fortunately for us, there are PowerShell cmdlets that can help us get the information from the Event Log into our PowerShell consoles.
Exploring the Event Log with PowerShell
We can list all the information that’s in the event log in a PowerShell console. This makes it a lot easier to sift through and search for specific logs, events, sources, etc. We can easily narrow it down by several criteria and even export the results!
This is the magic cmdlet for helping us get the information from the event log. It allows us to grab information from an event log on both local and remote computers.
How do you find out what logs are available to be viewed, you ask? How can you filter by source? How can you filter by event type? These are great questions that we can tackle with Get-EventLog.Here’s a quick list of some of the common parameters and usages of the Get-EventLog cmdlet.
List – List all the available event logs
LogName String – The name of the log file you wish to view
Before DateTime – Limit searches to before this date
After DateTime – Limit searches to after this date
EntryType String or StringArray – Limits searches to a specific type of log entry
Source String – List events from a specific source
ComputerName String – List events from a remote computer
Message String – List events with specific strings inside the log message
Let’s use these parameters and show all the exciting things we can do with Event Logs.
Show all available event logs to view:
Show all events in a specific event log:
Get-EventLog -LogName Application
Show all events in the Application event log that are older than 7 days:
Get-EventLog -LogName Application -Before (Get-Date).AddDays(-7)
Show all events in the Application event log that are newer than 1 day:
Get-EventLog -LogName Application -After (Get-Date).AddDays(-1)
Show all errors in the Application event log:
Get-EventLog -LogName Application -EntryType Error
Show all events in the Application event log that are from a specific source:
Get-EventLog -LogName Application -Source “PDQ Deploy”
Show all events in the Application event log that are from a remote computer:
Get-EventLog -LogName Application -ComputerName SomeComputer
Show all events in the Applications event log that contain specific words in the message:
Get-EventLog -LogName Application -Message “*Could not find*”
There are a lot of options here to help you narrow down your search.
Putting it all together
Now that we know how to access this wonderful log information from PowerShell, we can start to really get fancy. Here are some ideas:
Check the event log for errors an application is having? Fancy.
Sort through errors an application is having and export to file? Fancier.
Check the event log on an interval and check for specific (or any) errors and email the results? Extra fancy.
You get the idea. This gives us an extra tool in our belt to help make us better administrators.
At some point in the future, maybe we’ll even go into creating your own event logs and then we will be able to combine the yummy goodness of reading logs with creating our own!
Bonus note about Get-WinEvent:
I know some of you are probably familiar with Get-WinEvent and may want to point out that Get-WinEvent is the successor to Get-EventLog.
You’re absolutely right!
That being said, however, I went with Get-EventLog for this blog for several reasons including compatibility with older OSes that some of us may not have been able to migrate off of quite yet.
Perhaps we’ll touch base on Get-WinEvent in a future post.
Until then, happy PowerShelling!
Kris was an employee at PDQ.