Get-EventLog

The good ol’ Event Viewer

Every Windows system administrator is probably familiar with the Windows Event Log. Using this cmdlet in PowerShell allows sysadmins to parse lots of events at once across many computers at once. It frees sysadmins up from clicking around in the Event Viewer trying to figure out just the right filter to use and to determine where precisely that critical event is stored. However, Get-EventLog does have its downfalls which you’ll see.

Listing Event Logs with Get-EventLog

The Get-EventLog cmdlet is available on all modern versions of Windows PowerShell. At it’s most straightforward use, this cmdlet needs an event log to query which it will then display all events in that event log. But what if you don’t know the event log name in the first place? In that case, we need to figure out all of the event logs that are available on our local computer. We do that by using the command Get-EventLog -List.

You can see I’ve got a few event logs on my local system now, but you might be wondering where are the others? There are dozens of other event logs showing up under Applications and Services logs in the Event Viewer. Why aren’t they here?

If you need those events, unfortunately, Get-EventLog isn’t going to work. Instead, you’ll need to check out Get-WinEvent. The Get-EventLog cmdlet could be considered a legacy cmdlet at this point, but it’s one I still use frequently simply because it’s just so easy to use.

Querying Events with Get-EventLog

Now that we know all of the events logs available, we can now read events within that event log. Maybe I want to see all events in the Application event log. To get those events, I need to specify the LogName parameter with Get-EventLog and the cmdlet will oblige by returning all events in that event log.

By default, you’ll only see six properties in the output; Index, Time, EntryType, Source, InstanceId and Message. In actuality, Get-EventLog returns 16 of them. The reason you only see six is due to PowerShell formatting rules which define the output. Below is an example of the actual output found by piping Get-EventLog to Select-Object and selecting all of the properties.

Filtering with Get-EventLog

Chances are when looking for events, we don’t need all events. Instead, we only need a few. In that case, we need to filter for particular events. Get-EventLog has a few different ways to do this. The Get-EventLog cmdlet can filter based on timestamp, entry type, event ID, message, source, and username. This takes care of the majority of ways to find events.

To demonstrate filtering, perhaps I’m querying for events every so often, and I want to find the ten newest events. In that case, I can use the Newest parameter and specify how many events I’d like to see. Get-EventLog -LogName Application -Newest 10 will return only the latest ten events.

Perhaps I want to find all events after a particular point in time. For that, we have the After parameter. The After parameter takes a date/time, so if I’d like to find only the events within the Application log that happened after 1/26/19 10:17 AM, I could do this Get-EventLog -LogName Application -After '1/26/19 10:17'. We could also perform the same process but select events that happened before a certain date with, you might have guessed it, the Before parameter.

The Get-EventLog has a lot of different ways to filter not including based on a timestamp. We can also filter events based on other attributes like event ID (Instance ID) and message which tend to be common attributes to search on. Maybe I know I’m looking for an event with an ID of 916; we’d pass 916 to the InstanceId parameter.

We can combine filters too. Maybe I get a lot of events returned with an ID of 916, but I want those events with the string svchost in the message. In that case, we can add the Message parameter to Get-EventLog and specify a wildcard like svchost.

Summary

The Get-EventLog cmdlet is a great command to use if you ever find yourself needing to query one of the common event logs quickly. It’s easy to use and provides some basic filtering ability. However, if you need to do any in-depth event log sleuthing, the Get-WinEvent command will probably work better, but it’s a little harder to use and sometimes requiring knowing syntax like XPath. Stay tuned for a post on Get-WinEvent.

%d bloggers like this: