Get-WinEvent PowerShell command

Get-WinEvent | Taking on PowerShell one cmdlet at a time | Weekly Blog

Share this post:

This is a part of an on-going blog series written by Adam Gordon. Each week, Adam will walk you through a PowerShell command, showing you when and how to use each one. This week, Adam covers Get-WinEvent. 

When to use Get-WinEvent

The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs. By default, Get-WinEvent returns event information in the order of newest to oldest.

Get-WinEvent lists event logs and event log providers. Get-WinEvent allows you to filter events using XPath queries, structured XML queries, and hash table queries.

If you are not running PowerShell as an Administrator, you might see error messages that you cannot retrieve information about a log.

How to use Get-WinEvent

Get all the logs from a local computer:

Get-WinEvent -ListLog *

Logs are listed in the order that Get-WinEvent gets them.

Classic logs are retrieved first, followed by the new Windows Event logs.

It’s possible for a log’s RecordCount to be null, which is blank, or zero.

Get-WinEvent PowerShell Command

 

Get event logs from multiple servers:


$S = 'Server01', 'Server02', 'Server03'
ForEach ($Server in $S) {
  Get-WinEvent -ListLog Application -ComputerName $Server |
    Select-Object LogMode, MaximumSizeInBytes, RecordCount, LogName,
      @{name='ComputerName'; expression={$Server}} |
    Format-Table -AutoSize
}

The variable $S stores the names of the three servers: Server01, Server02, and Server03.

The ForEach statement uses a loop to process each server, ($Server in $S).

The script block in the curly braces ({ }) runs the Get-WinEvent command.

The –ListLog parameter specifies the Application log. The –ComputerName parameter uses the variable $Server to get log information from each server.

The objects are sent down the pipeline to the Select-Object cmdlet. Select-Object gets the properties LogMode, MaximumSizeInBytes, RecordCount, LogName, and uses a calculated expression to display the ComputerName using the $Server variable.

The objects are sent down the pipeline to the Format-Table cmdlet to display the output in the PowerShell console. The –AutoSize parameter formats the output to fit the screen.

 

Get all event log providers that write to a specific log:

(Get-WinEvent -ListLog Application).ProviderNames

The –ListLog parameter uses Application to get objects for that log.

ProviderNames is a property of the object and displays the providers that write to the Application log.

Get-WinEvent PowerShell Command how to

 

Get Event Ids that the event provider generates:

(Get-WinEvent -ListProvider Microsoft-Windows-GroupPolicy).Events | Format-Table Id, Description

The –ListProvider parameter specifies the provider, Microsoft-Windows-GroupPolicy.

The expression is wrapped in parentheses and uses the Events property to get objects.

The objects are sent down the pipeline to the Format-Table cmdlet. Format-Table displays the Id and Description of the event objects.

Get-WinEvent powershell command

 

Get error events that have a specified string in their name:

Get-WinEvent -LogName *PowerShell*, Microsoft-Windows-Kernel-WHEA* | Group-Object -Property LevelDisplayName, LogName -NoElement | Format-Table -AutoSize

The –LogName parameter uses a comma-separated string with the asterisk (*) wildcard to specify the log names.

The objects are sent down the pipeline to the Group-Object cmdlet. Group-Object uses the –Property parameter to group the objects by LevelDisplayName and LogName.

The –NoElement parameter removes other properties from the output.

The grouped objects are sent down the pipeline to the Format-Table cmdlet.

Format-Table uses the –AutoSize parameter to format the columns.

The Count column contains the total number of each event. The Name column contains the grouped LevelDisplayName and LogName.

Get-WinEvent powershell command

 

Use FilterHashtable to get events from the Application log:

$Date = (Get-Date).AddDays(-2)

Get-WinEvent -FilterHashtable @{ LogName=’Application’; StartTime=$Date; Id=’1003′ }

The Get-Date cmdlet uses the AddDays method to get a date that is two days before the current date. The date object is stored in the $Date variable.

The –FilterHashtable parameter is used to filter the output.

The LogName key specifies the value as the Application log.

The StartTime key uses the value stored in the $Date variable. The Id key uses an Event Id value, 1003.

Get-WinEvent powershell command

Need PowerShell training? Check out ITProTV’s PowerShell online IT training courses.

Leave a Reply

Your email address will not be published. Required fields are marked *