How to check Windows Event Logs with PowerShell (Get-EventLog)

Windows Event logs is one of the first tools an admin uses to analyze problems and to see where does an issue come from. But it is not the only way you can use logged events. In this article, I will show you how to use PowerShell and Get-EventLog to perform some Event Log magic. But first, a few words about the logs in general.

How to check event logs with Powershell (get-eventlog)

Event logging in Windows

First, there are two ways to access the events logged in Windows – through the Event Viewer and using the Get-EventLog / Get-WinEvent cmdlets. The Event Viewer is an intuitive tool which lets you find all the required info, provided you know what to look for. Searching the logs using the PowerShell has a certain advantage, though – you can check events on the local or remote computers much quicker using the console. It is an invaluable asset if you think about server health monitoring. PowerShell lets you generate automatic reports about the most important events to read while drinking your morning coffee.

Get-WinEvent vs Get-EventLog

You might wonder what is the difference between Get-WinEvent and Get-EventLog. Get-WinEvent is a newer version of Get-EventLog. The cmdlets work in a similar manner, and Get-EventLog does the trick in most cases. According to a TechNet source, the main difference is that Get-WinEvent works with “the Windows Event Log technology introduced in Windows Vista.” To get a clearer explanation, you can use two simple cmdlets:

Get-EventLog -list

Get-WinEvent -ListLog * | where {$_.RecordCount -gt 0}

As you can see, Get-WinEvent is a clear winner when it comes to the amount of data it can access.

Mind that some attributes’ names are different in those two cmdlets, so you might need to do some translating if you want to use the syntax of Get-WinEvent with the Get-EventLog cmdlet. If you want to know how to filter the results, simply pipe the cmdlet to Get-Member:

Get-EventLog application -newest 1 | Get-Member

Although Get-EventLog is a “legacy cmdlet,” it still works like a charm in most diagnostic cases. It also has one clear advantage: you can use the -After and –Before attributes to filter results by date. Thanks to that, date-related queries are much quicker than piping all results and trying to sift through them.

Before you start searching through the logs for specific events, it is a good idea to get to know the structure and get the general idea of how the logging mechanism works. The Event Viewer is the right tool to get you started on that.

The Event Viewer

The amount of logging information can be overwhelming. It means that data filtering is your priority. In order to get acquainted with the structure, you can either use the Event Viewer.

The quickest way to start the Event viewer is to use the Win+R key combination and executing eventvwr:

Run event viewer through the run console

This action will open the Event Viewer:

The Event Viewer

The tree on the left lets you browse through all Event Viewer’s entries. The most used logs are Application, System, and Security.

Use PowerShell to diagnose problems on multiple computers

The biggest challenge of setting up the Get-EventLog or Get-WinEvent cmdlets is to filter results. First, you have to know what to look for, next – you have to make sure that your query does not cause the PowerShell console to throw a fit. One way to run diagnostics is to use the script below:

$servers = Get-TransportService;
foreach ($server in $servers);
{Write-Host "Scanning the event log of: " -NoNewLine; Write-Host $server;
Get-EventLog system -ComputerName $server -After (Get-Date).AddHours(-12) | where {($_.EntryType -Match "Error") -or ($_.EntryType -Match "Warning")} | ft  -wrap >> "C:/$server.csv";
Get-EventLog application -ComputerName $server -After (Get-Date).AddHours(-12) | where {($_.EntryType -Match "Error") -or ($_.EntryType -Match "Warning")} | ft  -wrap >> "C:/$server.csv"}

The script pulls information about all Error and Warning kinds of events generated in the last 12 hours in System and Application logs for a list of servers. You can replace the Get-TransportService cmdlet with another list of machines you want to diagnose.

Checking login and logoff time with PowerShell

There are quite a few ways to check when a certain machine was turned on. If you simply need to check when was the first time a user logged in on a specific date, use the following cmdlet:

Get-EventLog system -after (get-date).AddDays(-1) | where {$_.InstanceId -eq 7001}

To learn when the computer was turned on a specific date, you can select the first logged event:

$today = get-date -Hour 0 -Minute 0;
Get-EventLog system -after $today | sort -Descending | select -First 1

Those cmdlets; however, will not work if you want to monitor the usage of a shared computer.

You could scan through the security events, looking for 4624 (logon) and 4625 (logoff) event IDs. However, the security log usually holds the greatest number of records and going through it can be extremely time-consuming. Fortunately, the system log also stores logon and logoff data and specifying the exact source of the log entry allows a relatively quick search. The script below returns a list of logon and logoff events on the target computer with their exact times and users for the last seven days.

$logs = get-eventlog system -ComputerName <name of the monitored computer> -source Microsoft-Windows-Winlogon -After (Get-Date).AddDays(-7);
$res = @(); ForEach ($log in $logs) {if($log.instanceid -eq 7001) {$type = "Logon"} Elseif ($log.instanceid -eq 7002){$type="Logoff"} Else {Continue} $res += New-Object PSObject -Property @{Time = $log.TimeWritten; "Event" = $type; User = (New-Object System.Security.Principal.SecurityIdentifier $Log.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])}};
$res

Result:

Logon and logoff dates PowerShell

If you need more detailed results, you could add the Security log events IDs 4800 and 4801 for lock and unlock events. Mind that this will require you to run another Get-EventLog script to get info from the Security log. It will also significantly increase the time your PowerShell console will need to finish the task.

Further Reading:

14 thoughts on “How to check Windows Event Logs with PowerShell (Get-EventLog)


  1. Interesting read. Thank you for the information.

    I am working on some powershell scripts to extract various events from the logs. The issue that I am having is that I am not retrieving all of the information from the logs. One example is when I retrieve failed RDP connections the details that tell me the IP address of the attempt is not included in the CSV that is created. How do I get the query results to include the event data?

    • The details such as the IP address can be found in the Message event property. The problem with the message property is that it is a long string you need to filter. To get the IP, pipeline the right events to the Format-Table cmdlet. The example below will return Event ID, the time when the event was generated and the IP of the user trying to connect (found after “Source Network Address” in the event’s message):
      ... | FT EventId,TimeGenerated,@{l="User";e={$_.message.substring(($_.message.lastindexof('Source Network Address:')+24),15)}} -wrap -AutoSize

  2. Very good article, this can help me more. I have never known this, even though I always work using a computer. Reading information like this is luck to find out more information that you have. Thank you for the information because this is very useful.

  3. Well, it is NOT posting what I copy and paste in here, it insists on interpreting it and removing half the info.

    PowerButtonTimestamp 131770063503423756

    • Hi Jon,
      If you are looking for this particular PowerButtonTimestamp, the following script will return the event and save it to a CSV file:
      Get-EventLog system | where Instanceid -eq 41 | where Message -like "*131770063503423756*" | select EventId,MachineName,TimeGenerated >> "your CSV file path"
      EventID will be 41 for all returned events – PowerButtonTimestamp is exclusive to it.
      Mind that each forced shutdown will have a different PowerButtonTimestamp, you might be better off going through all Events with Id equal to 41 and checking the PowerButtonTimeStamp for values which are other than 0. Basically, it depends on what you want to ultimately achieve.

  4. This is the string i want to read out of the Event log and send to a Text File along with time and date and the EventID.

    131770063503423756

  5. I am looking for help to find Chrome,Firefox browser logs of a users using Event logs. Is there a way I will be able to get those logs.

    • I don’t think that System logs have any mention of Chrome or Firefox activity. As far as I know, you can enable logging in those browsers; however, it is not a reliable way to monitor users’ online activity.

  6. This is excellent. I am a PS noob.
    How do i pipe the results to a CSV? I edit end of the line:
    NTAccount]);} | Export-Csv -Path C:\Path\events.csv and it only retrieves the one oldest entry for the events specified.
    Thanks!

    • One way would be to use the Export-Csv cmdlet with the -Append parameter. You could also save the results in a variable and pipeline its contents into a CSV file.

    • I explained how to do this in the following section of the article:
      Use PowerShell to diagnose problems on multiple computers
      Instead of Get-TransportService, you can import a list of computers from a CSV file, or enter them manually into an array.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

*