How to check Windows Event Logs with PowerShell (Get-EventLog)

Windows Event logs is one of the first tools an admin uses to analyze problems and to see where does an issue come from. But it is not the only way you can use logged events. In this article, I will show you how to use PowerShell and Get-EventLog to perform some Event Log magic. But first, a few words about the logs in general.

How to check event logs with Powershell (get-eventlog)

Event logging in Windows

First, there are two ways to access the events logged in Windows – through the Event Viewer and using the Get-EventLog / Get-WinEvent cmdlets. The Event Viewer is an intuitive tool which lets you find all the required info, provided you know what to look for. Searching the logs using the PowerShell has a certain advantage, though – you can check events on the local or remote computers much quicker using the console. It is an invaluable asset if you think about server health monitoring. PowerShell lets you generate automatic reports about the most important events to read while drinking your morning coffee.

Get-WinEvent vs Get-EventLog

You might wonder what is the difference between Get-WinEvent and Get-EventLog. Get-WinEvent is a newer version of Get-EventLog. The cmdlets work in a similar manner, and Get-EventLog does the trick in most cases. According to a TechNet source, the main difference is that Get-WinEvent works with “the Windows Event Log technology introduced in Windows Vista.” To get a clearer explanation, you can use two simple cmdlets:

Get-EventLog -list

Get-WinEvent -ListLog * | where {$_.RecordCount -gt 0}

As you can see, Get-WinEvent is a clear winner when it comes to the amount of data it can access.

Mind that some attributes’ names are different in those two cmdlets, so you might need to do some translating if you want to use the syntax of Get-WinEvent with the Get-EventLog cmdlet. If you want to know how to filter the results, simply pipe the cmdlet to Get-Member:

Get-EventLog application -newest 1 | Get-Member

Although Get-EventLog is a “legacy cmdlet,” it still works like a charm in most diagnostic cases. It also has one clear advantage: you can use the -After and –Before attributes to filter results by date. Thanks to that, date-related queries are much quicker than piping all results and trying to sift through them.

Before you start searching through the logs for specific events, it is a good idea to get to know the structure and get the general idea of how the logging mechanism works. The Event Viewer is the right tool to get you started on that.

The Event Viewer

The amount of logging information can be overwhelming. It means that data filtering is your priority. In order to get acquainted with the structure, you can either use the Event Viewer.

The quickest way to start the Event viewer is to use the Win+R key combination and executing eventvwr:

Run event viewer through the run console

This action will open the Event Viewer:

The Event Viewer

The tree on the left lets you browse through all Event Viewer’s entries. The most used logs are Application, System, and Security.

Use PowerShell to diagnose problems on multiple computers

The biggest challenge of setting up the Get-EventLog or Get-WinEvent cmdlets is to filter results. First, you have to know what to look for, next – you have to make sure that your query does not cause the PowerShell console to throw a fit. One way to run diagnostics is to use the script below:

$servers = Get-TransportService;
foreach ($server in $servers);
{Write-Host "Scanning the event log of: " -NoNewLine; Write-Host $server;
Get-EventLog system -After (Get-Date).AddHours(-12) | where {($_.EntryType -Match "Error") -or ($_.EntryType -Match "Warning")} | ft  -wrap >> "C:/$server.csv";
Get-EventLog application -After (Get-Date).AddHours(-12) | where {($_.EntryType -Match "Error") -or ($_.EntryType -Match "Warning")} | ft  -wrap >> "C:/$server.csv"}

The script pulls information about all Error and Warning kinds of events generated in the last 12 hours in System and Application logs for a list of servers. You can replace the Get-TransportService cmdlet with another list of machines you want to diagnose.

Checking login and logoff time with PowerShell

There are quite a few ways to check when a certain machine was turned on. If you simply need to check when was the first time a user logged in on a specific date, use the following cmdlet:

Get-EventLog system -after (get-date).AddDays(-1) | where {$_.InstanceId -eq 7001}

To learn when the computer was turned on a specific date, you can select the first logged event:

$today = get-date -Hour 0 -Minute 0;
Get-EventLog system -after $today | sort -Descending | select -First 1

Those cmdlets; however, will not work if you want to monitor the usage of a shared computer.

You could scan through the security events, looking for 4624 (logon) and 4625 (logoff) event IDs. However, the security log usually holds the greatest number of records and going through it can be extremely time-consuming. Fortunately, the system log also stores logon and logoff data and specifying the exact source of the log entry allows a relatively quick search. The script below returns a list of logon and logoff events on the target computer with their exact times and users for the last seven days.

$logs = get-eventlog system -ComputerName <name of the monitored computer> -source Microsoft-Windows-Winlogon -After (Get-Date).AddDays(-7);
$res = @(); ForEach ($log in $logs) {if($log.instanceid -eq 7001) {$type = "Logon"} Elseif ($log.instanceid -eq 7002){$type="Logoff"} Else {Continue} $res += New-Object PSObject -Property @{Time = $log.TimeWritten; "Event" = $type; User = (New-Object System.Security.Principal.SecurityIdentifier $Log.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}};
$res

Result:

Logon and logoff dates PowerShell

If you need more detailed results, you could add the Security log events IDs 4800 and 4801 for lock and unlock events. Mind that this will require you to run another Get-EventLog script to get info from the Security log. It will also significantly increase the time your PowerShell console will need to finish the task.

Further Reading:

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

*