Introduction to Scripting the Eventlog with PowerShell
Let us begin by taking stock of the operating system’s event logs. In our hearts, we know that we should be looking at these logs more often. We also know that when we see those red dots in the event viewer, we should take action to correct the corresponding error message.
Thus we have a task for PowerShell; in fact, we have a marriage made in heaven. PowerShell will help us review the Windows system, application and other logs, while the event logs themselves will act as a vehicle for learning more about PowerShell’s benefits, capabilities and syntax.
PowerShell Eventlog Scripts
- Example 1: PowerShell Get-Eventlog -List
- Example 2: Display Error Messages from Your System Log
- Example 3: Find Errors in the System Log
- Get-WinEvent (New in v 2.0)
- More Research with PowerShell Get-Eventlog
- Remote Eventlogs
- Windows 8 System Event Log
- Summary of PowerShell Eventlog Scripts
♣
PowerShell Pre-requisites and Checklist
In the case of Windows 7 and later, you don’t need to download any extra files, just: ‘Add Feature’ –> Windows PowerShell. However, for older operating systems, there are different versions of PowerShell for XP, Windows Server 2003 and Vista. For such legacy systems only, you need to download PowerShell from Microsoft’s site.
Once you have installed PowerShell 2.0 or later, I recommend choosing the ISE (Integrated Scripting Engine) version, it will save buying a text editor.
Example 1: PowerShell Get-Eventlog -List
Our first task is to enumerate the event logs present on your machine. Therefore, to discover whether your computer has 3, 6, or more individual logs, append the -List parameter to the Get-Eventlog command:
# PowerShell script to enumerate the event logs.
Get-Eventlog -List
Learning Points
Note 1a: You may have guessed that the hash # symbol is PowerShell’s way of introducing a comment.
Note 1b: -List is correct, please note that you do need that dash to introduce a PowerShell parameter.
Action Point: Please launch your Event Viewer; you can even do this with: Show-Eventlog.
My challenge is to adjust the ‘Retain’ time and the Overflow action manually. This is my way of encouraging you to compare what you see in the GUI with the instructions in the PowerShell scripts.
Action Point: PowerShell v 2.0 has a new cmdlet called Get-WinEvent use this to list even more Windows application logs.
PowerShell Example 2: Display Error Messages from Your System Log
Key point, Get-Eventlog is followed by the name of the log, in this case ‘system’.
# Script to list Error messages in the Windows System eventlog.
Clear-Host
Get-Eventlog system -Newest 2000 |
Where-Object {$_.entryType -Match "Error"}
Learning Points
I realize that most people will just copy and paste my script, but for those want to look behind the script, or those who get stuck, I provide ‘Learning Points’. My greatest joy is if you would experiment with my code, for example, change -Newest 2000 to 10000; or more adventurously, change Get-Eventlog system to Get-Eventlog application.
Note 2a: To get started you could simplify the script further and just type:
Get-Eventlog system
Note 2b: Each word, and indeed every symbol, has deep meaning in Windows PowerShell. Observe the (|) pipe which sends the output of the first clause into the ‘Where’ statement. The point is that we are filtering the output so that the results contain only error messages, and not information or warning messages.
Note 2c: PowerShell supports a whole family of conditional statements, for example, -Like, -Contains, or even plain -eq (equals), but for this job, I choose -Match. See how to change Get-Eventlog’s parameter defaults »
Guy Recommends: SolarWinds’ Log & Event Management Tool
LEM will alert you to problems such as when a key application on a particular server is unavailable. It can also detect when services have stopped, or if there is a network latency problem. Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA. LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.
Download your FREE trial of SolarWinds Log & Event Management tool.
PowerShell Script Example 3: Search for Errors in the System Log
This example produces a very similar result to the example above. The whole point of the extra code is to give us more control over the output. There are numerous ways that you could achieve the same list of events; indeed, many of them are technically superior to mine. However, while we are in learning mode, as opposed to production mode, I feel strongly that this script should demonstrate useful PowerShell features such as: $Variables, pipeline, and Format-Table.
# Cmdlet to find latest 2000 errors in the System eventlog
Clear-Host
$SysEvent = Get-Eventlog -Logname system -Newest 2000
$SysError = $SysEvent | Where {$_.entryType -Match "Error"}
$SysError | Sort-Object EventID |
Format-Table EventID, Source, TimeWritten, Message -auto
Learning Points
Note 3a: Guy loves variables. In PowerShell you just declare variables with a $dollar sign. There is nothing else you need to do!
Note 3b: In Example 1 we employed one pipeline (|), whereas this script has three (|)s. This technique of using the output of the first clause as the input of the second clause, is a characteristic benefit of Microsoft's PowerShell.
Challenge 1: I chose to sequence the data with: sort eventid. Now, I challenge you to sort on TimeWritten.
Challenge 2: In my opinion, it’s not necessary to include entryType in the Format-Table statement, but I challenge you to add it, and then see if I am right, or see if I am wrong to omit this property.
Challenge 3: Previously I used the backtick ` to run one command over two lines, but then I learned that if the | (pipe) was at the end of the line you don't need the backtick. This is what I used to do:
$SysError | Sort-Object EventID | `
Guy Recommends: A Free Trial of the Network Performance Monitor (NPM)
v11.5
SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
What I like best is the way NPM suggests solutions to network problems. Its also has the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.
Download a free trial of Solarwinds’ Network Performance Monitor
Another Eventlog Example To Check Boot Events
# Cmdlet to find 600x errors in the System eventlog
Clear-Host
Get-EventLog system -Newest 20000 | Where-Object { $_.EventID -Like "600?"} |
Format-Table TimeWritten, EventID, Message -auto
Note 4: This example uses 'Where-Object to filter the events, if possible, I prefer to employ a parameter such as -Source or -InstanceId
Get-Eventlog -Source
Firstly, a reminder of my favourite learning technique, open the GUI to get ideas to improve your PowerShell Scripts.
In this case observe the 'Source' column, lo-and-behold, there is a parameter of the same name that we can employ in our script.
# Example to filter Service messages in the System log
Clear-Host
Get-EventLog System -Newest 20 -Source "Service*" |
Format-Table TimeWritten, Source, EventID, Message -auto
Note 5: Pleasingly, -Source takes a wildcard in its value, observe "Service*".
Get-Eventlog -InstanceId
Here is an example using the InstanceId parameter to reveal the last 3 restore points.
# Find Restore Points with PowerShell
Get-EventLog -Logname Application -InstanceId 8194 -Newest 3
Note 6: For more detail, append | Select-Object 8
More Research of the PowerShell Get-Eventlog Cmdlet
Trusty Twosome (Get-Help and Get-Member)
Whenever you discover a new PowerShell command, it benefits from being surveyed with what I call the ‘Trusty Twosome’. In this instance, if you research a Verb-Noun command with Get-Help and Get-Member, then you are sure to unearth new scripting possibilities. To see what I mean try:
Get-Help Get-Eventlog
# Investigate PowerShell's Get-Eventlog -parameters
Clear-Host
Get-Help Get-Eventlog -full
Get-Help confirms support for the -ComputerName parameter, thus in addition to using Event Viewer, PowerShell can interrogate those logs on network machines.
Microsoft's Get-Help also displays useful parameters such as: -List, -Logname, and -Newest. Indeed, the first thing to remember about Get-Eventlog is that it needs the name of the log, for example: Get-Eventlog system.
Keep in mind that PowerShell is looking for a positional argument, thus ‘system’ is the name of the log and is an argument, and not a parameter. To determine this difference, PowerShell expects a parameter to be introduced with a -dash, whereas an argument is preceded by only a space.
Other names of logs that you can substitute for ‘System’ are: Application, Security and even PowerShell itself has a log. Windows Server is likely to have yet more logs, for example, Directory Service and DNS Server.
See also Solarwinds Log and Event Manager »
Get-Eventlog Get-Member
# Investigate PowerShell's Get-Eventlog Properties
Clear-Host
Get-Eventlog system | Get-Member -MemberType property
Note 7a: The above command reveals a list of log message properties that you can then use in the output, for example, category and source.
Note 8b: You could omit the -MemberType property parameter and thus display methods.
Discover Other Members of the PowerShell Eventlog Family
Instead of using the Event Viewer, employ PowerShell cmdlets to manipulate other aspects of your Windows logs.
# Find more PowerShell Eventlog cmdlets
Clear-Host
Get-Command -Noun eventlog
Note 7: Write-Eventlog and Limit-Eventlog look promising.
Summary of PowerShell Get-Eventlog Scripts
I believe that PowerShell has a future. My mission is to get you started using this scripting language. What suits my learning style is concrete examples, where we learn by doing. It is my belief that a good way to begin is by employing PowerShell to tackle everyday tasks such as reviewing the multitude of event logs.
Just by issuing a few variations of the command ‘Get-Eventlog system’, you will soon get a feeling of the abilities of PowerShell. Moreover, as a bonus you will soon obtain useful information about events in your operating system. The command: ‘Get-Eventlog application’ has a wide range of switches, for example -List and -Newest. What is always instructive with any PowerShell command, is Get-Member, for example:
Get-Eventlog system | Get-Member.
If you like this page then please share it with your friends
See more PowerShell examples to read, write and list Windows event logs
• PowerShell Home • Get-Eventlog • EventVwr -list • Get-WinEvent • Remote-WinEvent
• WMI Win32_NTLogEvent • Windows 8 Event Viewer • Windows 8 Security Event Log
• PowerShell real-life task • Write-Eventlog • EventVwr errors • Log Event Manager
Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.
