Get-WinEvent is the successor to Get-Eventlog. Remember that to
test this
cmdlet you need both PowerShell v 2.0 and a Vista or later operating
system.
Take the opportunity to learn more about PowerShell while you undertake
the worthwhile task of examining the various event logs, for example,
system, windows or DNS.
In the case of Windows 7 and Server
2008, you don't need to download any extra files, just 'Add Feature' Windows PowerShell.
However, for older operating systems, installing can be confusing because
there are different versions of PowerShell for XP, Windows Server 2003 and
Vista. For such legacy systems only, you need to
download PowerShell from Microsoft's site.
Once you have installed PowerShell 2.0, I recommend choosing the
ISE (Integrated Scripting Engine) version, it
will save you buying a text editor.
Our first task is to enumerate the logs that exist on your machine,
therefore,
append the -Listlog parameter thus:
# PowerShell Get-WinEvent script to list the event logs. Get-WinEvent
-Listlog *
Learning Points
Note 1:
-Listlog * is correct. Plain -list (as in Get-Eventlog) does not
work, furthermore you really do need that wildcard *.
Note 2: The results are staggering; I was expecting
about 8 logs yet the command returned 149. To check on your machine try: (Get-WinEvent -Listlog *).count
Note
3: You may have guessed that the hash # symbol is PowerShell's way of introducing a
comment.
Action Point: Launch the Event Viewer, visit the
actual logs and compare the names of the logs with those returned by
PowerShell's Get-WinEvent. Incidentally checking the operating systems
GUIs while scripting PowerShell really helps to understand what is going on.
Example 1a : Luddite Script to List Just the Classic Old Logs
# PowerShell Get-WinEvent script to list classic event logs.
Clear-Host Get-WinEvent -listlog * | Where {$_.IsClassicLog -eq 'True'}
Note 4:
This shows the logs that you would see with Get-Eventlog -list
Key point, Get-WinEvent is followed by the name of the log, in this case
'Application'.
# PowerShell Get-WinEvent script to show last 50 Application log
entries. Clear-Host Get-WinEvent Application
-maxEvents 50
Note 5: I have not explicitly added -logName because
this parameter is optional as long as Application (or the name of the log)
follows directly after the cmdlet.
I realize that most people will just copy and paste my script, but for those want to look behind the script, or those who get stuck, I provide 'Learning Points'. My
greatest joy is if you would experiment with my code, for example, change
50 to 10000; or more adventurously, change
Get-WinEvent application to Get-WinEvent system.
Guy Recommends: Solarwinds' Log & Event Management Tool
LEM will alert you to problems such as when a key
application on a particular server is unavailable. It can also
detect when services have stopped, or if there is a
network latency problem. Perhaps this log and event management
tool's most interesting ability is to take corrective action, for
example by
restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people
use LEM is for its
compliance capability, with a little help from you, it will ensure that your organization complies with industry
standards such as CISP or FERPA. LEM is a really smart
application that can make correlations between data in different logs,
then use its built-in logic to take corrective action, to restart services,
or thwart potential security breaches.
Note 6: Observe the DisplayName property.
Match the values with what you see in the event viewer GUI.
Note 7: In Get-WinEvent the -maxEvents replaces
the -newest parameter found in the alternative Get-Eventlog cmdlet. -maxEvents controls the number of events that the script should read,
which is handy switch when testing scripts.
Note
8:
PowerShell supports a whole family of conditional statements, for example, -like, -contains, or
-match -eq (Equals), but for this job, I chose plain -eq.
Note
9: Each
word, and indeed every symbol, has deep meaning to PowerShell. (|)
pipes the output of the first clause into the 'Where' statement. As a result the output is filtered so that you see only error messages, and not information or warning messages.
Challenge: I used the backtick ` to run one command over two
lines. You could try removing the backtick and making fewer, but
longer lines. Other experiments that you could try with backtick
include putting a ` at a different point in the script. A word of
warning with backtick, don't allow a space after this symbol and before the
carriage return.
Scripting the event logs inevitably throws up some unexpected real
results. The easiest way to check for the most serious problems is to
group similar events, then list in descending order.
# PowerShell example which groups event then sorts in descending order.
Clear-Host Get-WinEvent -logName System -maxEvents 2000 | ` Group-Object
ProviderName | Sort-Object Count -descending | ` Format-Table Count, Name
-auto
Note 10: I have selected the System log, but you could
easily adapt this script for the Security or Application log.
Note 11: Once the script works, I would remove
the -maxEvents 2000 part, I only added that parameter to speed-up the script
when
you first run it.
Guy Recommends: Solarwinds' Free Bulk Import Tool
Import users from a spreadsheet. Just provide a list of the
users with their fields in the
top row, and save as .csv file. Then launch this FREE utility and match
your fields with AD's
attributes, click to import the users. Optionally, you can
provide the name of the OU where the new accounts will be born.
There are also two bonus tools in this free download, and all 3 have been approved by Microsoft:
Whenever you discover a new PowerShell command, it benefits from being
surveyed with what I call the 'Trusty Twosome'. In this instance,
if you research a verb-noun command with Get-Help and Get-Member, then
you are sure to unearth new scripting possibilities. To see what I mean
try:
Get-Help confirms that in PowerShell v2.0 Get-WinEvent supports the
-ComputerName parameter, thus you can interrogate the Event logs on
network machines.
Get-Help also displays useful parameters such as: -listLog, -logname, and -maxEvents.
Indeed, the first thing to remember about Get-WinEvent is that it needs the name of the log, for example: Get-WinEvent system. Understand that PowerShell is looking for a positional argument, thus 'system' is the name of the log and is
an argument, and not a parameter.
To determine this difference, PowerShell expects a parameter to be introduced with a -dash, whereas an argument is preceded by only a space.
Other names of logs that you can substitute for 'system' are: Application, Security and even PowerShell itself
has a log. Windows Server is
likely to have yet more
logs, for example, Directory Service and DNS Server.
Note 12: The above command reveals a list of properties that you can
then use in the output, for example, ProviderId, Level and TimeCreated.
Note 13: -maxEvents 1 just speeds up the script because
it only looks for 1 log, and it's the properties rather than the actual
messages that interest us in this experiment.
Let
us begin by taking stock of the operating system's event logs. In our hearts, we know that we should be looking at these logs more often. We also know that when we see those red dots in the
logs, we should take action to correct the corresponding error message.
Thus we have a task for PowerShell; in fact, we have a marriage made in heaven. PowerShell will help us review the system, application and other logs, while the event logs
themselves will act as a vehicle for learning more about PowerShell's
benefits, capabilities and syntax.
If you like this page then please share it with your friends
See more PowerShell examples to read, write and list Windows event logs
Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.
Windows Management Instrumentation (WMI) is one of the hidden
treasures of Microsoft operating systems.
Fortunately, Solarwinds
have created the
Free WMI Monitor so that you can actually see and understand these gems of
performance information. Take the guess work out of which
WMI counters to use for applications like Microsoft Active Directory,
SQL or Exchange Server.
