Guide to Windows event logs

Andrew Pla
Andrew Pla|May 30, 2024
General lightOrange
General lightOrange

Windows event logs document key events in a Windows operating system, providing important information sysadmins can use to monitor security and performance and diagnose issues. In this guide, we’ll explain what Windows event logs are, some cool ways you can use PowerShell to run relevant queries, and best practices to keep things efficient and running smoothly.

What is a Windows event log?

A Windows event log is a record of critical events or actions that take place within a Windows operating system. These events can be system-, security-, or app-related. A Windows event log file contains detailed information of what went down, listed in the order that they’ve occurred. Even if fever dreams of system failures still plague you at night, at least you know they’ll be recorded.

Here’s what a Windows event log consists of: 

  • Date and time an event occurred 

  • Task category (that you can customize) identifying the type of event log 

  • Event ID, or a unique Windows identification number allocated to an event based on its source and type 

  • Source AKA the cause of the event 

  • Severity level of the event 

  • User who was logged in when the event occurred 

  • Computer that logged the event

Windows event severity levels 

Windows events are classified according to five severity levels based on their impact. Knowing the severity level of a Windows event allows IT admins to assess issues quickly and decide on the appropriate actions (and when to freak out — or not).

  • Informational: “FYI.” E.g., application startup messages.  

  • Verbose: “Here’s a status update.” E.g., debugging output from apps. 

  • Warning: “Something’s not ideal but it’s not a problem … yet.” E.g., low disk space. 

  • Error: “There’s a problem but it can wait.” E.g., application crashes. 

  • Critical: “Mayday, mayday! Action required, stat.” E.g., hard drive failures. 

IMHO, verbose details can create a lot of extraneous noise in day-to-day monitoring, which only matter in troubleshooting scenarios. That’s why I recommend focusing on warning, error, and critical events.

Types of Windows event logs

The types of Windows event logs cover critical areas of an operating system, including security, system, application, and setup. We break it down below.

  • Security logs record events that concern system security, such as alterations to user accounts and unsuccessful login attempts — which could signal external or insider security threats.  

  • System logs record events linked to the operating system and its components, such as system errors and malfunctioning hardware.  

  • Application logs record events connected to apps and services on the Windows device — from software installs and uninstalls to application crashes.  

  • Setup logs record events related to the setup and configuration of the operating system. On domain controllers, setup logs also store Active Directory-related event information. 

  • Forwarded events contain event information from other computers on the same network, allowing admins to centrally monitor events across multiple devices across their fleet.

Windows Event Forwarding 

Windows Event Forwarding is a feature in Windows that allows you to forward events to a central Windows Event Collector server, enabling centralized log collection.

Event log categories help admins stay organized by sorting an endless stream of information so they know what to look for and where. It’s basically the KonMarie Method for Windows events — sparking joy one log at a time.

Types of Windows events 

There are five types of Windows events that get logged whenever they occur within the operating system. 

  1. Information: Events that are FYI. 

  2. Warning: Events that are not a problem but could soon be. 

  3. Error: Events where there’s a notable problem.  

  4. Success Audit: A successful audited security access event. (E.g., Accounting Bob remembers his password and logs on successfully. Hoorah!) 

  5. Failure Audit: A failed audited security access event. (E.g., When Bob forgets his password [again] but repeatedly tries logging into the server 12 times.) 

Why are Windows event logs important?

Windows event logs are important because they help you keep track of what’s really going on with an operating system — especially since not everything is visible via the GUI. When something goes wrong and you need to dig deeper, Windows event logs are where you’d look for answers.

“After having several tickets come in about audio disappearing, I went straight to the event as that's my go-to when things act up, no matter what they are. 

“We found it was only affecting Lenovo laptops, so I looked at the event logs of another online device that might soon have the same issue. Looking through the log, I knew I was looking for an error about Kernal-PNP, as it’s a plug-and-play type of device.  

“After finding that log, I PCI-lookup-ed the vendor, and it happened to be the board vendor, so I knew the driver was doing something. We are currently on a big dive into the driver, seeing which ones and how they got replaced; event logs might reveal how the driver got there.” — Micah Shonyo, help desk technician, NERIC, SaintSatan69

How to view Windows event logs

You can view Windows event logs using Windows Event Viewer, which can be accessed via the Start menu, the command line, or the Control Panel. Other ways to view Windows event logs include third-party utilities and our little friend, PowerShell.

How to use PowerShell to view Windows event logs 

When it comes to using PowerShell commands to view Windows event logs, Get-EventLog or Get-WinEvent both work.

Get-EventLog is older and works with classic Windows logs but not newer types of event logs, like Application and Service event logs.  

Get-WinEvent is faster, has better filtering, and retrieves better data. Get-WinEvent is the bee’s knees and it’s what you should be using — but make sure that you’re running PowerShell as an administrator.

You can use Get-WinEvent to check on failed logon requests to a computer.

Get-WinEvent -FilterHashtable @{ LogName='Security'; ID=4625 } -ErrorAction SilentlyContinue | Select-Object -Property TimeCreated, Id, Message

The following code returns a list of users who have logged onto a machine. I’ve taken some liberty here and parsed the results so that there is a username property that includes only the user names. You can use this to see who’s been on a server and do a deeper dive if you see a username that shouldn’t be there.

$Events = Get-WinEvent -FilterHashtable @{ LogName='Security'; ID=4624 } $logonEvents = @() foreach ($Event in $Events) { $xmlEvent = [xml]$Event.ToXml() $Username = $xmlEvent.Event.EventData.Data | Where-Object { $_.Name -eq "TargetUserName" } | Select-Object -ExpandProperty '#text' $LogonType = $xmlEvent.Event.EventData.Data | Where-Object { $_.Name -eq "LogonType" } | Select-Object -ExpandProperty '#text' $Timestamp = $Event.TimeCreated # Exclude system accounts if ($Username -notmatch '^(SYSTEM|LOCAL SERVICE|NETWORK SERVICE|ANONYMOUS LOGON)$') { $logonEvent = New-Object -TypeName PSObject -Property @{ Username = $Username LogonType = $LogonType TimeStamp = $Timestamp } $logonEvents += $logonEvent } } $logonEvents $logonEvents | Select-Object Username –unique

With Get-WinEvent, you can use .etl, .evt, and .evtx log files. And remember to check if the audit log has been cleared as this may be a sign of cyberattackers covering their tracks.

Get-WinEvent -FilterHashtable @{ LogName='Security'; ID=1102 } -ErrorAction SilentlyContinue | Format-List -Property TimeCreated, Id, Message

If you’re experiencing unexpected system shutdowns, you can use the following command to view the relevant event logs and find out what’s really going on.

Get-WinEvent -FilterHashtable @{ LogName='System'; ID=1074 } -ErrorAction SilentlyContinue | Format-List -Property TimeCreated, Id, Message

Why use PowerShell to view Windows event logs? 

Now I know you’re wondering: Why use PowerShell when you can just use the GUI? While using Windows Event Viewer works just fine, PowerShell really shines when you can quickly pull up what you’re looking for without having to waste time clicking around. (Because real power users don’t click, they script.) Plus, you can easily check multiple machines at a time by using the –ComputerName parameter.

Best practices for event log monitoring and management 

When monitoring and managing event logs, keep these best practices in mind to help you stay organized and get better results. 

Log relevant events 

Configure event logs that make sense in your environment (logon/logoff, changes to users or groups, application errors, etc.). 

Centralize event logging 

Centrally track critical Windows events by using a feature like Windows Event Forwarding, a centralized log server, or a Security Information and Event Management (SIEM) tool. It’s always better to practice proactive cybersecurity and stay ahead of potential threats.  

Audit your logging setup regularly 

Audit your logging setup regularly to ensure that you’re keeping track of the right kind of events and that your event logs aren’t causing any storage or transfer issues.  

Here’s another tip: If you’re already using PowerShell to manage your environment, you can write to the event log in your scripts to better track what’s going on. First, you need to create the event log that you want your script to write to. And you only need to do this once per machine. Here’s what it looks like.

$params = @{ LogName = 'PowerShell Module X' Source = 'MyFunction1','MyFunction2','MyFunction3' } New-EventLog @params

Then, add the following bit in your scripts to write to the event log. If your script makes changes, be sure to note those changes in the Message field.

$params = @{ LogName = 'MyCompany PowerShell Scripts' Source = 'MyAutomation' EntryType = 'Information' EventId = 69420 Message = “MyCustomScript ran successfully, no changes” } Write-EventLog @params

Now, you can query the output of the scripts in your environment by running the following Get-WinEvent command:

Get-WinEvent -FilterHashtable @{ LogName = 'MyCompany PowerShell Scripts'}

When it comes to endpoint security, there’s no such thing as too much information — useful information, that is. Whether devices are on-prem or remote, PDQ’s suite of tools allows you to keep a watchful eye out for any shady shenanigans that could compromise your fleet. Request a demo or download free trials to see what works best for your business.

Andrew Pla
Andrew Pla

Andrew loves automation, PowerShell, and building tools that last. He has spent nearly a decade in IT with a focus on automation, infrastructure, and toolmaking. He has a passion for sharing knowledge and prefers humans to computers, and is a host of the PowerShell Podcast and a Microsoft MVP.

Related articles