PowerShell one-liner: Get eventlog

Use PowerShell one-liner to get eventlog details quickly and easily. In this article you will find several useful examples which will help you in daily operational tasks.

Get-Eventlog

The Get-EventLog cmdlet actually serves two purposes: it enables you to manage your event logs, and it also enables you to get at the events contained within those event logs.

To get lognames list we just have to use parameter -list :

# Get all lognames details and properties
Get-Eventlog -List

# Get "System" log details and properties
Get-EventLog -List | Where-Object {$_.logdisplayname -eq "System"}
Get-EventLog
Get-EventLog

Now when we know our lognames we can scan them using command parameters:

Get-EventLog -LogName System
Get-EventLog -LogName Application -Newest 3
Get-EventLog -LogName System -Newest 3 | Format-List
Get-EventLog -LogName System -Newest 3 | Select-Object *
Get-EventLog -LogName System -Source Disk
Get-EventLog -LogName System -Source NetLogon -Newest 3 | Out-GridView

During daily tasks we often need to specify time frames to search for specific log entry. To do this we can use the following examples:

# Time frame and entry type
Get-EventLog -LogName System -After "09/28/2017" -Before "10/28/2017" 
Get-EventLog -LogName System -After "09/28/2017" -Before "10/28/2017" -EntryType Error
Get-EventLog -LogName System -After "09/28/2017" -Before "10/28/2017" | Where-Object {$_.EntryType -like 'Error' -or $_.EntryType -like 'Warning'} 

# Last 1 hour
Get-EventLog -LogName Application | Where-Object { $_.TimeGenerated -gt ((Get-Date).AddHours(-1)) }

Using Where-Object you can search for specific event id:

Get-EventLog -LogName "Windows PowerShell" | Where-Object {$_.EventID -eq 403} 
Get-EventLog -LogName Application -Source MSIInstaller | Where-Object {$_.EventID -eq '1034'} 
Get-EventLog -LogName System -Newest 100 | Where-Object {$_.EventId -eq 6006} | Select-Object -first 5
Get-EventLog
Get-EventLog

Great thing about Get-EventLog command is that we can also scan remote machines:

Get-EventLog -ComputerName DC01 -LogName System -Source Disk
Get-EventLog -ComputerName DC01,DC02,DC03 -LogName System -Source Disk | Format-Table -Wrap -AutoSize
Get-EventLog -ComputerName (Get-Content -path "c:\temp\servers.txt") -LogName System -Source Disk | select-object -first 1 | Out-GridView -Title "Scan results"
Get-WinEvent

Apart from Get-EventLog command you can also use Get-WinEvent .

The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).

You can get all the providers for some logname on your local computer:

#Get Application event log providers
(Get-WinEvent -ListLog Application).providernames

#Get Application event log providers where name match "WMI"
(Get-WinEvent -ListLog Application).providernames | Where-Object {$_ -like "*WMI*"}

#Get events for providers "Microsoft-Windows-WMI" an format table
(Get-WinEvent -ListProvider "Microsoft-Windows-WMI").events | Format-Table id, description -auto

Below you can find another great example how to find first 5 events about reboot information. This time FilterHashtable has been used to provide logname and id:

Get-WinEvent -FilterHashtable @{logname='System'; id=1074} | Select-Object timecreated,message -First 5 | Out-GridView

You can also use invoke-command to scan remote servers for some specific event id. In this example we will check failed logon attempts logs for user pawel.janowicz and we will scan events only from last 24hours – (Get-Date).AddDays(-1).

EventID 4625: An account failed to log on.

# Using -Computername parameter
Get-WinEvent -ComputerName DC01 -FilterHashTable @{ LogName = ”Security”; ID = "4625"; StartTime = (Get-Date).AddDays(-1) } | Where-Object { ($_.Message -like "*pawel.janowicz*") } 

# Using invoke command
Invoke-Command -ComputerName DC01 -ScriptBlock{Get-WinEvent -FilterHashTable @{ LogName = ”Security”; ID = "4625"; StartTime = (Get-Date).AddDays(-1) } | Where-Object { ($_.Message -like "*pawel.janowicz*") } }

There is a possibility to scan also custom event log like in this case – ADFS. In Where-Object you can specify multiple event ids and time frame for scanning:

# Max events 10000 and 247 event id
Get-WinEvent -ProviderName 'ADFS' -MaxEvents 10000 | Where-Object { $_.ID -eq '247' }

# Multiple event ids and time frame
Get-WinEvent -ProviderName 'ADFS' | Where-Object { $_.ID -eq '247' -or $_.ID -eq '305' -or $_.ID -eq '306' -or $_.ID -eq '246' -and $_.TimeCreated -gt ((Get-Date).AddHours(-"8")) }

I hope that this was informative for you 🙂 See you in next articles.

Leave a Reply

Your email address will not be published. Required fields are marked *