PowerShell Get-WinEvent Remote Computer
Introduction to Scripting Eventlog on a Remote Computer
Remoting is the biggest improvement in PowerShell v 2.0. Here on this page we will see how it's possible to apply the -ComputerName parameter to eventlog files, and thus view errors on a network computer.
PowerShell Eventlog Topics
I think of Get-WinEvent as an update of Get-Eventlog. The main benefit is that this later cmdlet allows you to interrogate additional logs.
My learning progression is to get a basic example working on the local machine and then adapt the script to interrogate a remote computer.
# PowerShell Get-WinEvent script to list classic event logs.
Note 1: To see all the Microsoft event logs
that are newly available to Get-WinEvent amend:
Here is a modification of Example 1 which makes the script ready-to-run on a remote computer.
# PowerShell script to list the event logs on a remote computer
Note 2: All you have to do is change "LocalHost" to the name of a computer on your network.
Note 3: PowerShell v 2.0 brings with it remoting capabilities which you access via the -ComputerName parameter.
Note 4: Problems? See troubleshooting remoting.
LEM will alert you to problems such as when a key application on a particular server is unavailable. It can also detect when services have stopped, or if there is a network latency problem. Perhaps this log and event management tool's most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA. LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches - give LEM a whirl.
# Get-WinEvent -Credential
Event Viewer cannot connect to computer
The solution to this connection failure was to configure a firewall group policy.
The ticks should turn green and you will see the screenshot below.
Another remoting technique involves Enter-PSSession. My idea is then to run the Get-WinEvent commands as though I was a console user typing in PowerShell.
# Create a Remote Session
Note 6: Once again, the -Credential information parameter could make the difference between success and frustration - provided you know the correct name and password.
SolarWinds' Network Performance Monitor will help you discover what's happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
What I like best is the way NPM suggests solutions to network problems. Its also has the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.
More Get-WinEvent Examples
Assuming that remoting is working! Here are more ideas.
PowerShell's Get-WinEvent is tricky to operate. What makes it easier is focussing on the parameters, especially -Logname and for remoting, -ComputerName. Once you get the basics working there is a wealth of techniques and properties you can apply to this most versatile cmdlet.
Scenario: You need to investigate a particular
# PowerShell Remote EventLog example with specific EventID
Note 7: Please change -lt to -eq, and '100' to the EventID you are researching.
Note 8: The above script is ready for remoting, just change the value of $Machine variable.
Note 9: See more on PowerShell remoting
# PowerShell script to list the eventlogs on another computer
Note 10: New-Object creates an instance of system.diagnostics. In particular an eventlog instance
Note 11: I have used variables to control the output, $Log, $Computer and $ID.
Important: Please amend $Computer = "LocalHost" to the name of the remote computer.
More Ideas: Introduce an $array and a loop to interrogate a batch of computers.
Further Research on PowerShell Get-WinEvent
To get the most out of Get-WinEvent even experts turn to the trusty PowerShell techniques of Get-Help and Get-Member. Once you understand the basics, there is huge enjoyment and satisfaction in getting the right script for the right job.
This Engineer's Toolset v10 provides a comprehensive console of 50 utilities for troubleshooting computer problems. Guy says it helps me monitor what's occurring on the network, and each tool teaches me more about how the underlying system operates.
There are so many good gadgets; it's like having free rein of a sweetshop. Thankfully the utilities are displayed logically: monitoring, network discovery, diagnostic, and Cisco tools. Try the SolarWinds Engineer's Toolset now!
Help with Get-WinEvent Parameters
# PowerShell Get-WinEvent Parameters
Checking the help file will reveal useful parameters. Always remember to define the log with -logfile. I particularly like the -MaxEvents, but for detailed research -before or -after maybe more useful.
Research Get-WinEvent Properties
# PowerShell Get-WinEvent Properties
When you define the output with Format-Table or Out-File, it makes life easier if you can choose just the relevant properties, for example, Source, TimeWritten and Message.
Researching Similar PowerShell Cmdlets
# PowerShell Get-WinEvent Cmdlet Research
The main result is to realize there is a sister command Write-Eventlog, you could also Clear-Eventlog.
Remoting is the biggest improvement in PowerShell v 2.0. On this page we have seen the importance of the -ComputerName parameter for interrogating eventlog files. As a bonus we have experimented with listing EventIDs on both local and remote computers.
If you like this page then please share it with your friends
See more PowerShell examples to read, write and list Windows event logs
Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.