In Windows Event Log and using the GUI, it’s convenient and easy to search filter logs and get the log you need, all that you need is just a right-click on the Eventlog you need and then select Find, or more advance right-click Filter Current Log. Checking the Filter Window gives a lot of easy-to-do options. Just a few clicks, and your filter is done.
Table of Contents
Reading Eventlog using PowerShell vs GUI
There are some limitations to use the GUI comparing to Powershell, such as:
- Using Powershell is easier (yes it is, as you can do a filter that exactly show what you need) Unlike the GUI, still limited with the checkboxes
- Using the expression builtin Powershell will give your filter more power (Select – FilterXPath – other criteria..)
- You can use the command in Core Edition.
- Get the logs from multiple servers and aggregate them for reporting purposes.
- And much more.
Reading Available EventLog Name using PowerShell
So let’s start the fun with the basics. The main command we will use is Get-Winevent.
The first question is the Log name we need to read, the most common cases are Application, System, Security. But if we need to see all the logs available in the system, we can run the following command.
Get-WinEvent -ListLog *
We can see from the result above Four columns:
- LogName: the name of the Log, this is what we will use to call
- RecordCount: How many entries in this log
- MaximumSizeInBytes: the Max allowed size in Byte.
- LogMode: Define what happens when the max event log size is reached, and there are three possible settings:
- Circular: overwrite the old logs when the max size reaches.
- AutoBackup: Logs will be Archived and won’t be overwritten.
- Retain: Don’t overwrite events ( you will need to clear the log manually)
Reading Eventlog using PowerShell
So far, so good. Now, we know how to get all the possible Log names, and we need to dig a bit deeper and read the logs in any of these logs, for this post, I will use the Application Log.
To get all Eventlog stored in the Application Log use the following command.
Get-Winevent -logname Application
This will return all the events in the Application log, and as you can see from the output, we have the following information (Properties) returned:
Pay attention to these properties as these will be used also in the upcoming filters.
- Message: the Event Description details.
- LevelDisplayName: The level of the Log, which holds the following possible values
- Information
- Warning
- Error
- Critical
- Id: Event ID
- TimeCreated: When this event happens.
We can also use the optional parameter -MaxEvents and set the maximum number of results to return. This information is a good starting point, so let’s try to do a basic filter and get all the events from yesterday until today.
$logdate=(get-date).AddDays(-1)
Get-WinEvent -LogName Application | where {$_.TimeCreated -gt $logdate}Filtering The Result using Where Clause
I used the Where statement to filter the output and show only the event that has the TimeCreated property Greater Than (-gt) the date of yesterday ($logdate variable). The return result is similar to the first one, but at this time it will only list the events that are dated yesterday till now. This seems good, but what if I want to show the warning events that happen since yesterday till now.
We will need to add the LevelDisplayName to the Where filter and aggregate them using -and operator.
$logdate=(get-date).AddDays(-1)
Get-WinEvent -LogName Application | where {($_.TimeCreated -gt $logdate) -and ($_.LevelDisplayname -like "Warning")}
I won’t explain many details about the Where statement, but if you are totally new to PowerShell, you can read more about the where here. So in this example, I used Two filters.
($_.TimeCreated -gt $logdate): will return the events dated Greater Than (-gt) the $logdate variable
($_.LevelDisplayname -like “Warning”): the Type of Level of the even is Warning.
-and: both filters should be true for the result to be accepted, so in a readable way what I am telling Powershell to get me a list of events dated Yesterday till today and only show the events with the level of Warning
Conclusion
This was a quick tour on using PowerShell to read Windows Eventlog and how simple it is.
if you like it, you also may like how Control your Infrastructure using… Telegram Messenger
2 Responses