PowerShell’s Get-WinEvent
I have a new mission. My aim is to collect a bank of simple PowerShell scripts that ‘do stuff’. Perhaps you can help? I am so serious about my project that this week I am offering a bounty of $10 for the best script based on Get-WinEvent. If this is successful, then I will offer more bounties for scripts based on other cmdlets.
Guy’s Brief / Challenge:
- Use the cmdlet: Get-WinEvent
- Your PowerShell script must do something useful.
- No more than 10 lines.
- No copying from the internet! It must be your code.
- The best script gets $10 paid into its writer’s PayPal account.
Topics for PowerShell Get-WinEvent
- This Week’s Secret
- Example: Finding the Most Common Log Events
- PowerShell Show-Command
- Guy’s Brief / Challenge
♣
This Week’s Secret
Get-WinEvent is PowerShell’s 2.0’s updated version of Get-Eventlog in 1.0. The first thing to note is when you enumerate the logs you need to append -listlog *. (Not -list, not -loglist, and not -listlog without a wildcard). Instead of about 8 logs, Get-WinEvent returns 150 – really! Thus the second thing is you may want to try this filter, which just lists the traditional event logs.
# PowerShell Get-WinEvent script to list classic event logs.
Clear-Host
Get-WinEvent -listlog * | Where {$_.IsClassicLog -eq ‘True’}
Note 0: Get-WinEvent needs Vista or later, for XP use plain Get-Eventlog.
Note 1: Perhaps my worst kept secret is that you don’t really need me, just call for PowerShell’s Get-Help!
# List Get-WinEvent parameters.
Clear-Host
Get-Help Get-WinEvent -full
Note 2: Observe the -maxEvents switch, this replaces -newest in the old Get-Eventlog cmdlet. I think this is a wonderful parameter to speed up the script when testing, and for checking properties with Get-Member
# List System log properties.
Clear-Host
Get-WinEvent System -maxEvents 1 | Get-Member
Note 3: Most scripts which employ the Get-WinEvent cmdlet require the name of the log, for example, Application, Security, or as in this case, System.
Now you have all the tools to create interesting scripts which ‘do stuff’ such as filtering only errors, or finding messages containing specific words.
Guy Recommends: WMI Monitor and It’s Free!
Windows Management Instrumentation (WMI) is one of the hidden treasures of Microsoft’s operating systems. Fortunately, SolarWinds have created a Free WMI Monitor so that you can discover these gems of performance information, and thus improve your scripts.
Take the guess work out of which WMI counters to use when scripting the operating system, Active Directory or Exchange Server. Give this WMI monitor a try – it’s free.
Download your free copy of WMI Monitor
Example Script: Finding the Most Common Log Events
Scripting the event logs inevitably throws up some unexpected results, errors that you really should know about and take action. The easiest way to check for the most the serious problems is to group similar events and then list them in descending order.
In terms of my $10 challenge this is the benchmark. I am not looking for complex coding, more focussing on a real task which a simple PowerShell script can provide a quick answer.
# PowerShell example which groups event then sorts in descending order.
Clear-Host
Get-WinEvent -logName System -maxEvents 2000 | `
Group-Object ProviderName | Sort-Object Count -descending | `
Format-Table Count, Name -auto
Note 4: I have selected the System log, but you could easily adapt this script for the Security or Application log.
Note 5: Once the script works, I would remove the -maxEvents 2000 part, I only added that parameter to speed-up the script when you first run it.
Reminder of Guy’s Brief / Challenge:
- Use the cmdlet: Get-WinEvent
- Your PowerShell script must do something useful.
- No more than 10 lines.
- No copying from the internet! It must be your code.
- The best script gets $10 paid into its writer’s PayPal account.
Summary of PowerShell’s Get-WinEvent
Everyone should check their event logs more often. With PowerShell you can turn a drudge into a labor of love. While you discover errors and take corrective actions, so you learn more about PowerShell’s syntax.
Guy Recommends: Tools4ever’s UMRA
Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.
It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.
If you like this page then please share it with your friends
See more PowerShell examples to read, write and list Windows event logs
• PowerShell Home • Get-Eventlog • EventVwr -list • Get-WinEvent • Remote-WinEvent
• WMI Win32_NTLogEvent • Windows 8 Event Viewer • Windows 8 Security Event Log
• PowerShell real-life task • Write-Eventlog • EventVwr errors • Log Event Manager
Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.
