PowerShell Get-WinEvent

Examine Your Logs with the Get-WinEvent Cmdlet

Get-WinEvent in PowerShell v2.0 is a successor to Get-Eventlog in version 1.0.

Take the opportunity to learn more about PowerShell while you undertake the worthwhile task of examining the various event logs, for example, system, Windows or DNS.

PowerShell Get-WinEvent Topics


Example 1: PowerShell Get-WinEvent -ListLog

Our first task is to enumerate the logs that exist on your machine, therefore, append the -ListLog parameter thus:

# PowerShell Get-WinEvent script to list the event logs.
Get-WinEvent -ListLog *

Learning Points

Note 1:  -ListLog * is correct.  Plain -List (as in Get-Eventlog) does not work, furthermore you really do need that wildcard *.

Note 2: The results are staggering; I was expecting about 8 logs yet the command returned 149.  To check on your machine try:
(Get-WinEvent -ListLog *).count

Note 3: You may have guessed that the hash # symbol is PowerShell’s way of introducing a comment.

Action Point:  Launch the Event Viewer, visit the actual logs and compare the names of the logs with those returned by PowerShell’s Get-WinEvent.  Incidentally checking the operating systems GUIs while scripting PowerShell really helps to understand what is going on.

Example 1a : Luddite Script to List Just the Classic Old Logs

# PowerShell Get-WinEvent script to list classic event logs.
Get-WinEvent -ListLog * | Where {$_.IsClassicLog -eq ‘True’}

Note 4: This shows the logs that you would see with Get-Eventlog -List

Example 2: Display Messages From Your Application Log

Key point, Get-WinEvent is followed by the name of the log, in this case ‘Application’.

# PowerShell Get-WinEvent script to show last 50 Application log entries.
Get-WinEvent  Application -MaxEvents 50

Note 5: I have not explicitly added -Logname because this parameter is optional as long as Application (or the name of the log) follows directly after the cmdlet.

I realize that most people will just copy and paste my script, but for those want to look behind the script, or those who get stuck, I provide ‘Learning Points’.   My greatest joy is if you would experiment with my code, for example, change 50 to 10000; or more adventurously, change Get-WinEvent application to Get-WinEvent system.

Guy Recommends:  SolarWinds’ Log & Event Management ToolSolarwinds Log and Event Management Tool

LEM will alert you to problems such as when a key application on a particular server is unavailable.  It can also detect when services have stopped, or if there is a network latency problem.  Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.

Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA.  LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.

Download your FREE trial of SolarWinds Log & Event Management tool.

Example 2a: Modification to Filter Just for Application Errors

# PowerShell Get-WinEvent script find errors in Application log
Get-WinEvent -Logname Application -MaxEvents 500 |
Where-Object {$_.LevelDisplayName -eq 'Error'} |
Format-Table Id, LevelDisplayName, Message -AutoSize

Note 6: Observe the LevelDisplayName property.  Match the values with what you see in the event viewer GUI.

Note 7: In Get-WinEvent the -MaxEvents replaces the -newest parameter found in the alternative Get-Eventlog cmdlet.  -MaxEvents controls the number of events that the script should read, which is handy switch when testing scripts.

Note 8: PowerShell supports a whole family of conditional statements, for example, -Like, -Contains, or -Match -eq (Equals), but for this job, I chose plain -eq.

Note 9: Each word, and indeed every symbol, has deep meaning to PowerShell.  (|) pipes the output of the first clause into the ‘Where’ statement.  As a result the output is filtered so that you see only error messages, and not information or warning messages.

Challenge: If the result does not produce many messages, try using the negative -ne thus:

Where-Object {$_.LevelDisplayName -ne 'Error'} |

Remember that negative is -ne, and not -neq.

Example 2b: Modification for Non-USA Cultures

As of 2104, there is a PowerShell bug in cultures such as "en-GB" or "en-DE", which prevents the display of the properties: 'LevelDisplayName' and 'Message'; here is a work-around:

[System.Threading.Thread]::CurrentThread.CurrentCulture = `
New-Object "System.Globalization.CultureInfo" "en-US"
Get-WinEvent -LogName 'System' -MaxEvents 500 |
Where-Object {$_.LevelDisplayName -eq 'Error'} |
Format-Table Id, LevelDisplayName, Message -AutoSize

Note 10: You only need this culture modification in countries outside of the USA.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v11.5 v11.5

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

Example 3: Finding the Most Common Log Events

Scripting the event logs inevitably throws up some unexpected real results.  The easiest way to check for the most serious problems is to group similar events, then list in descending order.

# PowerShell example which groups event then sorts in descending order.
Get-WinEvent -Logname System -MaxEvents 2000 |
Group-Object ProviderName | Sort-Object Count -descending |
Format-Table Count, Name -auto

Note 11: I have selected the System log, but you could easily adapt this script for the Security or Application log.

Note 12: Once the script works, I would remove the -MaxEvents 2000 part; I only added that parameter to speed-up the script when you first run it.

Use Select-Object Instead of Format-Table

# PowerShell Get-WinEvent script find errors in Application log
Get-WinEvent -Logname Application -MaxEvents 500 |
Where-Object {$_.LevelDisplayName -eq 'Error'} |
Select-Object LevelDisplayName, id, ProviderName

Engineer's Toolset v10Guy Recommends: SolarWinds Engineer’s Toolset v10

This Engineer’s Toolset v10 provides a comprehensive console of 50 utilities for troubleshooting computer problems.  Guy says it helps me monitor what’s occurring on the network, and each tool teaches me more about how the underlying system operates.

There are so many good gadgets; it’s like having free rein of a sweetshop.  Thankfully the utilities are displayed logically: monitoring, network discovery, diagnostic, and Cisco tools.  Try the SolarWinds Engineer’s Toolset now!

Download your fully functional trial copy of the Engineer’s Toolset v10

More Research Into PowerShell Get-WinEvent

Whenever you discover a new PowerShell command, it benefits from being surveyed with what I call the ‘Trusty Twosome’.  In this instance, if you research a Verb-Noun command with Get-Help and Get-Member, then you are sure to unearth new scripting possibilities. To see what I mean try:

Get-Help Investigates Parameters for Get-WinEvent Cmdlet

# Investigate PowerShell’s Get-WinEvent -parameters
Get-Help Get-WinEvent -full

Get-Help confirms that in PowerShell v2.0 Get-WinEvent supports the -ComputerName parameter, thus you can interrogate the Event logs on network machines.

Get-Help also displays useful parameters such as: -ListLog, -Logname, and -MaxEvents.  Indeed, the first thing to remember about Get-WinEvent is that it needs the name of the log, for example: Get-WinEvent system.  Understand that PowerShell is looking for a positional argument, thus ‘system’ is the name of the log and is an argument, and not a parameter.  To determine this difference, PowerShell expects a parameter to be introduced with a -dash, whereas an argument is preceded by only a space.

Other names of logs that you can substitute for ‘system’ are: Application, Security and even PowerShell itself has a log.  Windows Server is likely to have yet more logs, for example, Directory Service and DNS Server.

Get-Member Research More Properties

# Investigate PowerShell Get-WinEvent Properties
Get-WinEvent system -MaxEvents 1 | Get-Member -MemberType property

Note 12: The above command reveals a list of properties that you can then use in the output, for example, ProviderId, Level and TimeCreated.

Note 13: -MaxEvents 1 just speeds up the script because it only looks for 1 log, and it’s the properties rather than the actual messages that interest us in this experiment.

Summary of PowerShell Eventlog Scripts

Let us begin by taking stock of the operating system’s event logs.  In our hearts, we know that we should be looking at these logs more often.  We also know that when we see those red dots in the logs, we should take action to correct the corresponding error message.

Thus we have a task for PowerShell; in fact, we have a marriage made in heaven.  PowerShell will help us review the system, application and other logs, while the event logs themselves will act as a vehicle for learning more about PowerShell’s benefits, capabilities and syntax.

If you like this page then please share it with your friends


See more PowerShell examples to read, write and list Windows event logs

PowerShell Home   • Get-Eventlog   • EventVwr -list   • Get-WinEvent   • Remote-WinEvent

WMI Win32_NTLogEvent   • Windows 8 Event Viewer  • Windows 8 Security Event Log

PowerShell real-life task   • Write-Eventlog   • EventVwr errors   • Log Event Manager

Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.