PowerShell Get-WinEvent Remote Computer

Introduction to Scripting Eventlog on a Remote Computer

Remoting is the biggest improvement in PowerShell v 2.0.  Here on this page we will see how it’s possible to apply the -ComputerName parameter to eventlog files, and thus view errors on a network computer.

PowerShell Eventlog Topics

I think of Get-WinEvent as an update of Get-Eventlog.  The main benefit is that this later cmdlet allows you to interrogate additional logs.


Example 1: List PowerShell Eventlogs on Local Computer

My learning progression is to get a basic example working on the local machine and then adapt the script to interrogate a remote computer.

# PowerShell Get-WinEvent script to list classic event logs.
Get-WinEvent -ListLog * | Where {$_.IsClassicLog -eq ‘True’}

Note 1:  To see all the Microsoft event logs that are newly available to Get-WinEvent amend:
-eq 'True', to -ne 'True'.  Alternatively remove the 'Where' clause completely.

Example 2: PowerShell Get-WinEvent on Remote Computer

Here is a modification of Example 1 which makes the script ready-to-run on a remote computer.

# PowerShell script to list the event logs on a remote computer
# Just change "LocalHost" to the name of YOUR remote computer
$Machine = "LocalHost"
Get-WinEvent -ListLog *  -ComputerName $Machine

Note 2: All you have to do is change "LocalHost" to the name of a computer on your network.

Note 3: PowerShell v 2.0 brings with it remoting capabilities which you access via the -ComputerName parameter.

Note 4: Problems? See troubleshooting remoting.

Guy Recommends:  SolarWinds’ Log & Event Management ToolSolarwinds Log and Event Management Tool

LEM will alert you to problems such as when a key application on a particular server is unavailable.  It can also detect when services have stopped, or if there is a network latency problem.  Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.

Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA.  LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.

Download your FREE trial of SolarWinds Log & Event Management tool.

Troubleshooting Get-WinEvent Remoting

I find that -ComputerName also needs the -Credential parameter, for example:
-Credential $Machine\$AdminPerson.

# Get-WinEvent -Credential
$Machine = "OtherMachine"
$AdminPerson = "OtherBod"
Get-WinEvent -ListLog *  -ComputerName $Machine -Credential $Machine\$AdminPerson

Note 5: I have introduced the variables $Machine and $AdminPerson to encourage you to modify the script to suit your network.PowerShell Get-WinEvent

Event Viewer cannot connect to computer
The RPC server is unavailable

The solution to this connection failure was to configure a firewall group policy.

  • Launch the Group Policy Editor – Gpedit
  • Computer Configuration
  • – Windows Settings
  • — Security Settings
  • — Windows Firewall Advanced Security
  • —- Inbound Rules
  • —- Right-click and select 'New Rule' (Key point)
  • —- Predefined radio button
  • —- Choose Remote Event Log Management (Drop down list)
  • —- Click Next
  • —- Accept the defaults and click 'Next'
  • —- Choose Allow the connection and click 'Finish'

The ticks should turn green and you will see the screenshot below.

PowerShell Get-WinEvent


Another remoting technique involves Enter-PSSession.  My idea is then to run the Get-WinEvent commands as though I was a console user typing in PowerShell.

# Create a Remote Session
$Machine = "OtherMachine"
$AdminPerson = "OtherBod"
Enter-PSSession -ComputerName $Machine -Credential $Machine\$AdminPerson
Get-WinEvent -ListLog *

Note 6: Once again, the -Credential information parameter could make the difference between success and frustration – provided you know the correct name and password.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v11.5 v11.5

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

More Get-WinEvent Examples

Assuming that remoting is working!  Here are more ideas.

Example 3: PowerShell Get-WinEvent Remote EventID

PowerShell’s Get-WinEvent is tricky to operate.  What makes it easier is focussing on the parameters, especially -Logname and for remoting, -ComputerName.  Once you get the basics working there is a wealth of techniques and properties you can apply to this most versatile cmdlet.

Scenario: You need to investigate a particular EventID. 
Important:  Amend my value of -lt ‘100’ to -eq ‘YourNumber’.  Do remember the speech marks.
Optional: Change "LocalHost" to "YourNetworkMachine"

# PowerShell Remote EventLog example with specific EventID
$Machine = "LocalHost"
Get-WinEvent -Logname System -ComputerName $Machine -MaxEvents 1000 |
Where-Object {$_.EventID -lt '100'} |
Format-Table MachineName, Source, EventID -auto

Note 7: Please change -lt to -eq, and ‘100’ to the EventID you are researching.

Note 8: The above script is ready for remoting, just change the value of $Machine variable.

Note 9: See more on PowerShell remoting

Example 4: Alternative Eventlog Technique Using System.Diagnostics

# PowerShell script to list the eventlogs on another computer
$Log = "Application"
$Computer ="LocalHost"
$ID = "1002"
$Objlog = New-Object system.diagnostics.eventLog($Log, $Computer)
$Objlog.get_entries() |
Where-object { $_.eventID -eq $id }

Note 10: New-Object creates an instance of system.diagnostics.  In particular an eventlog instance

Note 11: I have used variables to control the output, $Log, $Computer and $ID.

Important: Please amend $Computer = "LocalHost" to the name of the remote computer.

More Ideas: Introduce an $array and a loop to interrogate a batch of computers.

Further Research on PowerShell Get-WinEvent

To get the most out of Get-WinEvent even experts turn to the trusty PowerShell techniques of Get-Help and Get-Member.  Once you understand the basics, there is huge enjoyment and satisfaction in getting the right script for the right job.

Engineer's Toolset v10Guy Recommends: SolarWinds Engineer’s Toolset v10

This Engineer’s Toolset v10 provides a comprehensive console of 50 utilities for troubleshooting computer problems.  Guy says it helps me monitor what’s occurring on the network, and each tool teaches me more about how the underlying system operates.

There are so many good gadgets; it’s like having free rein of a sweetshop.  Thankfully the utilities are displayed logically: monitoring, network discovery, diagnostic, and Cisco tools.  Try the SolarWinds Engineer’s Toolset now!

Download your fully functional trial copy of the Engineer’s Toolset v10

Help with Get-WinEvent Parameters

# PowerShell Get-WinEvent Parameters
Get-Help Get-WinEvent -full

Checking the help file will reveal useful parameters.  Always remember to define the log with -logfile.  I particularly like the -MaxEvents, but for detailed research -before or -after maybe more useful.

Research Get-WinEvent Properties

# PowerShell Get-WinEvent Properties
Get-WinEvent -Logname system -MaxEvents 1 | Get-Member -memberType property

When you define the output with Format-Table or Out-File, it makes life easier if you can choose just the relevant properties, for example, Source, TimeWritten and Message.

Researching Similar PowerShell Cmdlets

# PowerShell Get-WinEvent Cmdlet Research
Get-Command -Noun Eventlog

The main result is to realize there is a sister command Write-Eventlog, you could also Clear-Eventlog.

Summary of Win-Eventlog Remoting

Remoting is the biggest improvement in PowerShell v 2.0.  On this page we have seen the importance of the -ComputerName parameter for interrogating eventlog files.  As a bonus we have experimented with listing EventIDs on both local and remote computers.

If you like this page then please share it with your friends


See more PowerShell examples to read, write and list Windows event logs

PowerShell Home   • Get-Eventlog   • EventVwr -list   • Get-WinEvent   • Remote-WinEvent

WMI Win32_NTLogEvent   • Windows 8 Event Viewer  • Windows 8 Security Event Log

PowerShell real-life task   • Write-Eventlog   • EventVwr errors   • Log Event Manager

Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.