Share this post: This is part of an ongoing blog series by Adam Gordon. Adam will show you how to use each PowerShell command each week. Adam will be covering Get-EventLog this week.
When to use Get -EventLog
The Get-EventLog cmdlet retrieves events and logs from remote and local computers. Use the -ComputerName parameter to get logs from remote computer.
To search for events, you can use the Get–EventLog parameters or property values. The cmdlet returns events that match the specified property value.
NOTE: PowerShell cmdlets containing the EventLog noun do not work on Windows classic logs like Security, System, and Application. Get-WinEvent will give you logs that use Windows Event Log technology in Windows Vista or later Windows versions.
How to use Get–EventLog
Event logs can be downloaded to your local computer
Get-EventLog -List
The Log column names are used with -LogName to specify which log will be searched for events. To display all logs, the Get-EventLog cmdlet uses a -List parameter.
You can access the most recent entries to an event log on your local computer.
Get-EventLog -LogName System -Newest 5
The Get-EventLog cmdlet uses a -LogName parameter in order to specify the System log.
The -Newest parameter returns five of the most recent events.
Find all sources that have a certain number of entries in an Event Log:
$Events = Get-EventLog -LogName System -Newest 1000
Group-Object -Property Source -NoElement
The Get-EventLog cmdlet uses a -LogName parameter in order to specify the System log.
The -Newest parameter selects 1000 most recent events. The $Events variable stores the event objects. The $Events objects are sent to the Group-Object cmdlet via the pipeline.
Group-Object uses -Property to group objects by source. It also counts the number of objects per source. The -NoElement parameter removes group members from the output.
The Sort-Object cmdlet uses -Property to sort by each source name.
The -Descending parameter sorts your list by count, from highest to least.
Find error events from a particular event log:
Get-EventLog -LogName System -EntryType Error
The Get-EventLog cmdlet uses a -LogName parameter in order to specify the System log.
The -EntryType parameter filters events to show only errors.
With an InstanceId or Source value, you can get events from an event log.
Get-EventLog -LogName System -InstanceId 10016 -Source DCOM
The Get-EventLog cmdlet uses a -LogName parameter in order to specify the System log.
The -InstanceID parameter selects events with the specified Instance ID. The -Source parameter specifies event property.
You can access events from multiple computers
Get-EventLog -LogName System -ComputerName ITPROTV01, ITPROTV 02, ITPROTV 03
The Get-EventLog cmdlet uses a -LogName parameter in order to specify the System log.
The -ComputerName parameter uses an uncomma-separated string that lists the computers from which you want the event logs to be obtained.
All events that include a particular word in the message will be included:
Get-EventLog -LogName System -Message *description*
The Get-EventLog cmdlet uses a -LogName parameter in order to specify the System log.
The -Message parameter specifies the word to search for in each event’s message field.
NOTE: It is possible for your specified -Message parameter to be included in the message’s contents but not displayed in PowerShell console.
Display the property values for an event
$A = Get-EventLog -LogName System -Newest 1
$A | Select-Object -Property *
The Get-EventLog cmdlet uses a -LogName parameter in order to specify the System log.
The -Newest parameter selects an event object that has just occurred. The object is stored in $A variable
The $A variable contains the object and it is passed down the pipeline to select-object cmdlet. Select-Object uses the parameter -Property with an asterisk (“*”) to select all the object’s properties.
Use an event ID and source to get events from an event log
Where-Object $_.EventID -eq 600
The Get-EventLog cmdlet uses a parameter called -LogName to specify the Windows PowerShell eventlog.
The -Source parameter specifies PowerShell’s application name.
The objects are sent through the pipeline to the Where Object cmdlet. The Where-Object cmdlet uses $_.EventID for each object in the pipeline to compare the Event ID property with the specified value.
The objects are sent to the Select-Object cmdlet via the pipeline.
Select-Object uses -Property to select properties to display in PowerShell console.
Organise events and groups at a property
Group-Object -Property UserName -No