Getting Event log details in Windows Operating System is easy with PowerShell. PowerShell provides useful commands to manage Windows Event logs. In this Article, we will discuss about getting Event log details in Windows Operating System.
The Get-EventLog cmdlet
This command is useful to get the Event log details. Windows maintains the log details in different groups, named Application, Security, System etc,. We can view the log details of each group using this command.
If you just type this command without any parameters; it will prompt to enter the LogName from where the event log details to be displayed: You need to enter one of the group name (System, Security, etc,.) for the LogName to display the Event log details.
PS C:\PowerShell> Get-EventLog
cmdlet Get-EventLog at command pipeline position 1
Supply values for the following parameters:
LogName: SystemAbove command displays all the Event log details from the given LogName. LogName is mandatory to fetch the event log details. To avoid prompting to enter the group name; you can pass the group name through the “LogName” parameter; like below:
PS C:\PowerShell> Get-EventLog -LogName SystemBy default Get-EventLog cmdlet displays all the Event log details from the given group. It displays the details Index (Log index), Time (Date and Time when this entry was logged), EntryType (Whether the log entry is a Warning, an Error, Information, Successful Audit entry or Failed Audit entry), Source (Source of the Event log entry), InstanceID (an instance ID) and Message (logged message) details.
When it displays all the Event details; it is difficult to search for the entry what we are looking. Instead, we can apply filters to display few details that meets our search criteria. PowerShell supports this by using parameters. Here are some of the filters we can apply to display few entries depending on our search criteria.
Display newest log entries
By using “Newest” parameter we can display newest log entries from the given group. It needs the integer value. For example, to display newest 10 entries; you need to pass 10 as the value to the parameter “Newest“.
PS C:\PowerShell> Get-EventLog -LogName System -Newest 10
Display Error entries ONLY
The entries in Event Log are different types; Error entries, Information entries, Warnings etc,.. This command has “EntryType” parameter where we can pass the type of entry we are looking for; either Error, Information, Warning etc,.
PS C:\PowerShell> Get-EventLog -LogName Application -EntryType Error
Display both Warnings and Errors
Through “EntryType” we can pass multiple values also; and the values should be separated by a comma (“,”). Below command displays both Warnings and Errors:
PS C:\PowerShell> Get-EventLog -LogName Application -EntryType "Error", "Warning"
Display the logged entries which are entered within the time frame
Most of the time we search the event log for the events generated between the given time frame. This command provides “Before” and “After” parameters through which we can enter the time frame details to fetch the event log entries which are logged in the given time frame. Here is an example:
PS C:\PowerShell> Get-EventLog -LogName System -EntryType Error -Before "2019/01/21" -After "2019/01/20"
We will discus more topics as we go.
[..] David.
I want both then?
-LogName “System”,”Application”
Get-EventLog -ComputerName TXNMPETXD316327 -LogName “System”,”Application” -Source “*Error*” -EntryType “Warning”,”Error” -Newest 10
does not work any suggestions?
“-LogName” entry allows single value only.
You have everything but the one command I needed.
so when you do a Get-EventLog — you get a list of events. Often though you want to dive deeper into the event.
i.e. “core memory error happened at…” You may want to know what happens after the “at”.
To get this: when you see the events coming back you see an “Index” field. You can use that field to look up the full response.
Get-EventLog -LogName System -Index 45228 | Format-Table -Wrap
Replacing 45228 with the index of the event you want to look at.
Woohoo you get the full entry.