Windows 8 Event Viewer System Log
Most of the operating systems’ problems are recorded in the System log. Sometimes it’s more convenient to use the Event Viewer, while at other times PowerShell is quicker.
Windows 8 System Log Topics
- Launching the Windows 8 System Log
- List the Last 10 System Events with PowerShell
- Filtering Events within Event Viewer
- Filtering Windows System Events with PowerShell
♦
Getting Started – Finding the Windows 8 System Log
I am going to show you two methods to research the System log entries, they work really well in tandem. By that I mean the Event View will teach you about PowerShell.
Launch the Windows 8 Event Viewer
To get started with the Event Viewer press Winkey +w, this launches the Search box with the focus on Settings. Now type: "ev" you should see ‘View event logs’.
Once the Event Viewer has initialized if you expand ‘Windows logs’ you can see ‘System’.
PowerShell Equivalent: List the Last 20 System Events with PowerShell
Starting from the Metro UI, start typing: ‘Pow’. You should see two PowerShell Apps, I prefer to select the ISE version because it has a GUI. There are two cmdlets for displaying the logs; Get-EventViewer and Get-WinEvent, in either case remember to specify the -LogName.
Get-WinEvent
# PowerShell Windows 8 System Event Logs
Get-WinEvent -LogName System -MaxEvents 20
Note 1: The parameter -MaxEvents 20 is merely to speed up the command because the system log can be huge, and when testing you may be anxious just to get results.
Get-Eventlog
Alternatively, you can use Get-Eventlog cmdlet with its -Newest parameter. This is an old-fashioned, but easier to use cmdlet.
Clear-host
Get-Eventlog -LogName System -Newest 20
Help Further PowerShell Research
#Pure Research – Precede the cmdlet with Help
Clear-host
Help Get-WinEvent
Research Properties with Get-Member (GM)
#Pure Research – Append Get-Member
Clear-host
Get-Eventlog System -Newest 20 | Get-Member
Guy Recommends: SolarWinds’ Log & Event Management Tool
LEM will alert you to problems such as when a key application on a particular server is unavailable. It can also detect when services have stopped, or if there is a network latency problem. Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA. LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.
Download your FREE trial of SolarWinds Log & Event Management tool.
Filtering Events within the Event Viewer GUI
Orientation: You are in the Event Viewer, you pre-select the System log. Now, go to the Actions pane to the right and click on ‘Filter Current Log’.
Here is where you put on your thinking hat, and experiment with each setting: my choices were:
Event sources Microsoft Windows System settings
Task category Logon, Logoff.
Filtering Windows System Events with PowerShell
Typical Microsoft, there are at least 3 ways of employing PowerShell to filter the logs. My favourite, especially for learning is to pipe the output of Get-Eventlog into a where statement.
#Pure Research – PowerShell Where-Object Filtering
Clear-host
Get-Eventlog System -Newest 200 | Where-Object {$_.EventID -eq ‘50036’}
Note 2: It may be clearer if you bolt on a Format-Table command. This enables you to choose the output columns, for example: | Format-Table EventID, Message -auto
Note 3: Windows Event ID 50036 means the DHCP Client service started (and 50037 means it stopped).
Note 4: The conditional operator -match may be better than -eq. Especially for messages, e.g. Where {$_.Message -match ‘DHCP’}
-FilterHashTable with Get-WinEvent
Researching a PowerShell cmdlet with Help is surprisingly instructive, in this instance it shows that Get-WinEvent has a parameter called -FilterHashTable parameter. However Help also reveals that Get-Eventlog does not.
Clear-Host
Get-WinEvent -MaxEvents 100 -FilterHashtable @{Logname="System"; ProviderName="*DHCP*"}
Note 5: The syntax is a little tricky; a) There is no hyphen before the parameter. b) The key-value pairs are joined by the = (equals sign) and not PowerShell’s -eq. Also remember the overall format @{Filter="criteria"}
Guy Recommends: WMI Monitor and It’s Free!
Windows Management Instrumentation (WMI) is one of the hidden treasures of Microsoft’s operating systems. Fortunately, SolarWinds have created a Free WMI Monitor so that you can discover these gems of performance information, and thus improve your scripts.
Take the guess work out of which WMI counters to use when scripting the operating system, Active Directory or Exchange Server. Give this WMI monitor a try – it’s free.
Download your free copy of WMI Monitor
Summary of Windows 8 System Event Logs
This page explains how to research the System log entries with both the Windows 8 Event Viewer and PowerShell v 3.0 Our examples showed how to filter events with the Action pane, and also how to use PowerShell’s -FilterHashtable parameter.
If you like this page then please share it with your friends
Microsoft Windows 8 Topics
• Windows 8 Overview • Windows 8 Event Viewer • Win 8 Security Event Log • Log Event Manager
• Win 8 Task Manager • Close Windows 8 Apps • Windows 8 SkipRearm • Windows 8 File History
• Windows 8 App Store • Windows 8 Safely Remove Hardware • Windows 8 Shutdown Command
