PowerShell’s Eventlog
Perhaps you have always secretly wanted to write computer scripts? Maybe you hanker after the ability to compose code? Even if you are not a ‘techie’, even if you have never done any scripting, I beg you to give this week’s ezine a chance, and run my eventlog example script.
Topics for Eventlogs
- This Week’s Secret
- This Week’s Mission
- Guy’s $10 Bet
- Example 1: Display error messages from your System log
- Trusty Twosome (Get-Help and Get-Member)
- Example 2: List ‘Errors’ in the System log (With code to control formatting)
- Windows 7 and PowerShell Scripts
♣
This Week’s Secret
To date, my coverage of PowerShell in these ezines has been disjointed, each PowerShell script has been an isolated ‘one-off’. In the coming weeks I am going to improve on that format by producing a coordinated series of 10 ezines. Each edition will tackle a real life task and the 10 ezines taken as a whole, will build into a mini-course in basic PowerShell.
This Week’s Mission
My mission is to get people started using PowerShell. It is my belief that the best way to begin is to employ PowerShell to tackle everyday tasks such as reviewing the eventlogs. Let us take stock of the operating system’s event logs; in our hearts we know that we should be looking at these logs more often. We also know that really, we should take action to eradicate those red error messages from our logs.
So here we have a marriage made in heaven. PowerShell will help you review the system, application and other event logs, while the eventlogs will act as a vehicle for learning about PowerShell’s benefits, capabilities and syntax.
Guy’s $10 Bet for Ezine Subscribers Only
Assuming that you run my eventlog PowerShell script, and study the results, my $10 bet is that at least one error message will either surprise you, or intrigue enough to research the root cause of the error.
I hope you can see the spirit of my challenge – Guy puts his money where his mouth is. Moreover, my word is my bond; if you were an ezine subscriber before June 2007, and you truly believe that I owe you $10, I will pay your winnings via paypal. (You can pay my winnings the same way!)
Example 1: Display error messages from your System log
Instructions:
Pre-requisite: Visit Microsoft’s site and download the correct version of PowerShell for your operating system.
- Launch PowerShell
- Copy the three lines of code below (into memory)
- Right-click on the PowerShell symbol
- Edit –> Paste
- Press enter to execute the code.
clear-Host
# PowerShell script to find Error messages in the System eventlog.
get-EventLog system -newest 2000 | where {$_.entryType -match "Error"}
Learning Points
I realize that most people will just copy and paste my script, but for those want to look behind the script, or those who get stuck, I provide ‘Learning Points’. My greatest joy is if you would experiment with my code, for example, change 2000 to 10000; or more adventurously, change System to Application.
Note 0: clear-Host just clears the screen. Nobody else uses clear-Host in PowerShell, one day I may look back and think clear-Host is stupid, but for now its Guy’s signature. You may have guessed that the hash # symbol is PowerShell’s way of introducing a comment.
Note 1: You could simplify the script further and just type:
get-EventLog system
Note 2: Each syllable, and every symbol, has deep meaning in PowerShell. (|) pipes the output of the first clause into the ‘Where’ statement. The result is filtered output so that you see only error messages, and not information or warning messages.
Note 3: PowerShell supports a whole family of conditional statements, such as -like, -contains, or even plain -eq (Equals), but for this job, I chose -match
Guy Recommends: The Free IP Address Tracker (IPAT) 
Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets. IPAT cracks this problem of allocating IP addresses in networks in two ways:
For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges.
For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker
Trusty Twosome (Get-Help and Get-Member)
When you discover a new PowerShell command, it benefits from being surveyed with what I call the ‘Trusty Twosome’. In this instance if you research with Get-Help and Get-Member then you are sure to unearth new scripting possibilities for Get-eventlog. To see what I mean, try these two commands:
1) get-help Get-eventlog
(help eventlog -full) If you want to see examples of the command.
Get-help shows useful parameters such as: -list, -logname, and -newest. Indeed the first thing to remember about Get-Eventlog is that in needs the name of the log, for example: Get-Eventlog system. Remember that ‘system’ is the name of the log and is not a parameter, thus there is no punctuation between eventlog and system.
Other names of logs that you can substitute for ‘system’ are: Application, Security and even PowerShell itself. Windows Server 2003 is likely to have yet more logs, for example, Directory Service and DNS Server.
See the latest on Update-Help »
2) get-eventlog system |get-member -memberType property
(get-eventlog system | gm -membertype property) If you are fond of filters.
This command reveals a list of properties that you can select in the output, for example, category and source.
Guy Recommends: Tools4ever’s UMRA
Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.
It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.
Example 2: List ‘Errors’ in the System log (With additions to control the format)
This example produces very similar results to example 1 above. The whole point of the extra code is to give more control over the output. There are numerous ways that you could achieve the same output, many of them are technically superior to mine. However, I felt strongly that this script should demonstrate useful PowerShell features such as $Variables, pipeline, format-table and the tiny ` backtick.
clear-Host
$SysEvent = get-EventLog -logname system -newest 2000
$SysError = $SysEvent |where {$_.entryType -match "Error"}
$SysError | sort eventid | `
Format-Table EventID, Source, TimeWritten, Message -auto
Learning Points
Note 1: Guy loves variables. In PowerShell you just declare variables with a $dollar sign, there is nothing else you need to do.
Note 2: The first example employed one pipeline (|), but this script has three (|)s. This technique of using the output of the first clause as the input of the second clause, is a characteristic benefit of PowerShell.
Challenge 1: I chose to sequence the data with: sort eventid, however, I challenge you to sort on TimeWritten.
Challenge 2: In my opinion it’s not necessary to include entryType in the Format-Table statement, but I challenge you to add it, and see if I am right, or if I am wrong to omit this property.
Challenge 3: I used the backtick ` to run one command over two lines. You could try removing the backtick and making fewer, but longer lines. Other experiments that you could try include putting a backtick at a different point in the script. Even better, try for one long but efficient command, perhaps use only one variable.
Summary
I believe that PowerShell has a future. My mission is to persuade people to give PowerShell a chance. What suits my learning style is concrete examples, where we learn by doing. This is week one of a ten week mini-course in PowerShell, in each edition I will add learning points so that you can modify my code and solve problems in your real life situation.
If you like this page then please share it with your friends
See more PowerShell examples to read, write and list Windows event logs
• PowerShell Home • Get-Eventlog • EventVwr -list • Clear-WinEvent Function • Remote Eventlog
• PowerShell Limit-Eventlog • Windows 8 Event Viewer • Get-WinEvent • Log Event Manager
• Write-Eventlog (Basic) • PowerShell Write-Eventlog (Adv) • PowerShell Clear-Eventlog
Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.
