get-eventlog powershell command

Get-EventLog | Taking on PowerShell one cmdlet at a time | Weekly Blog

Share this post:

This is a part of an on-going blog series written by Adam Gordon. Each week, Adam will walk you through a PowerShell command, showing you when and how to use each one. This week, Adam covers Get-EventLog. 

When to use Get-EventLog

The Get-EventLog cmdlet gets events and event logs from local and remote computers. To get logs from remote computers, use the -ComputerName parameter.

You can use the Get-EventLog parameters and property values to search for events. The cmdlet gets events that match the specified property values.

NOTE: PowerShell cmdlets that contain the EventLog noun work only on Windows classic event logs such as Application, System, or Security. To get logs that use the Windows Event Log technology in Windows Vista and later Windows versions, use Get-WinEvent.

Get-EventLog

How to use Get-EventLog

Get event logs on the local computer:

Get-EventLog -List

The names in the Log column are used with the –LogName parameter to specify which log is searched for events. The Get-EventLog cmdlet uses the –List parameter to display the available logs.

Get-EventLog

 

Get recent entries from an event log on the local computer:

Get-EventLog -LogName System -Newest 5

The Get-EventLog cmdlet uses the –LogName parameter to specify the System event log.

The –Newest parameter returns the five most recent events.

Get-EventLog

 

Find all sources for a specific number of entries in an event log:

$Events = Get-EventLog -LogName System -Newest 1000

$Events | Group-Object -Property Source -NoElement | Sort-Object -Property Count -Descending

The Get-EventLog cmdlet uses the –LogName parameter to specify the System log.

The –Newest parameter selects the 1000 most recent events. The event objects are stored in the $Events variable. The $Events objects are sent down the pipeline to the Group-Object cmdlet.

Group-Object uses the –Property parameter to group the objects by source and counts the number of objects for each source. The –NoElement parameter removes the group members from the output.

The Sort-Object cmdlet uses the –Property parameter to sort by the count of each source name.

The –Descending parameter sorts the list in order by count from highest to lowest.

Get-EventLog

 

Get error events from a specific event log:

Get-EventLog -LogName System -EntryType Error

The Get-EventLog cmdlet uses the –LogName parameter to specify the System log.

The –EntryType parameter filters the events to show only Error events.

Get-EventLog

 

Get events from an event log with an InstanceId and Source value: 

Get-EventLog -LogName System -InstanceId 10016 -Source DCOM

The Get-EventLog cmdlet uses the –LogName parameter to specify the System log.

The –InstanceID parameter selects the events with the specified Instance ID. The –Source parameter specifies the event property.

Get-EventLog

 

Get events from multiple computers:

Get-EventLog -LogName System -ComputerName ITPROTV01, ITPROTV 02, ITPROTV 03

The Get-EventLog cmdlet uses the –LogName parameter to specify the System log.

The –ComputerName parameter uses a comma-separated string to list the computers from which you want to get the event logs.

 

Get all events that include a specific word in the message:

Get-EventLog -LogName System -Message *description*

The Get-EventLog cmdlet uses the –LogName parameter to specify the System log.

The –Message parameter specifies a word to search for in the message field of each event.

NOTE: It is possible that your specified –Message parameter’s value is included in the message’s content but is not displayed in the PowerShell console.

Get-EventLog

 

Display the property values of an event: 

$A = Get-EventLog -LogName System -Newest 1

$A | Select-Object -Property *

The Get-EventLog cmdlet uses the –LogName parameter to specify the System log.

The –Newest parameter selects the most recent event object. The object is stored in the $A variable.

The object in the $A variable is sent down the pipeline to the Select-Object cmdlet. Select-Object uses the –Property parameter with an asterisk (*) to select all of the object’s properties.

Get-EventLog

 

Get events from an event log using a source and event ID:

Get-EventLog -LogName “Windows Powershell” -Source PowerShell | Where-Object {$_.EventID -eq 600} | Select-Object -Property Source, EventID, InstanceId, Message

The Get-EventLog cmdlet uses the –LogName parameter to specify the Windows PowerShell event log.

The –Source parameter specifies the application name, PowerShell.

The objects are sent down the pipeline to the Where-Object cmdlet. For each object in the pipeline, the Where-Object cmdlet uses the variable $_.EventID to compare the Event ID property to the specified value.

The objects are sent down the pipeline to the Select-Object cmdlet.

Select-Object uses the –Property parameter to select the properties to display in the PowerShell console.

Get-EventLog

 

Get events and group by a property:

Get-EventLog -LogName System -UserName NT* | Group-Object -Property UserName -NoElement | Select-Object -Property Count, Name

The Get-EventLog cmdlet uses the –LogName parameter to specify the System log.

The –UserName parameter includes the asterisk (*) wildcard to specify a portion of the user name.

The event objects are sent down the pipeline to the Group-Object cmdlet. Group-Object uses the –Property parameter to specify that the –UserName property is used to group the objects and count the number of objects for each user name.

The –NoElement parameter removes the group members from the output. The objects are sent down the pipeline to the Select-Object cmdlet.

Select-Object uses the –Property parameter to select the properties to display in the PowerShell console.

Get-EventLog

 

Get events that occurred during a specific date and time range:

$Begin = Get-Date -Date ‘8/28/2019 08:00:00’

$End = Get-Date -Date ‘8/29/2019 17:00:00’

Get-EventLog -LogName System -EntryType Warning -After $Begin -Before $End

The Get-Date cmdlet uses the –Date parameter to specify a date and time.

The DateTime objects are stored in the $Begin and $End variables.

The Get-EventLog cmdlet uses the –LogName parameter to specify the System log.

The –EntryType parameter specifies the Error event type.

The date and time range is set by the –After parameter and $Begin variable and the –Before parameter and $End variable.

Get-EventLog

Need PowerShell training? Check out ITProTV’s PowerShell online IT training courses.

Leave a Reply

Your email address will not be published. Required fields are marked *