Manage Learn to apply best practices and optimize your operations.

Filter and query Windows event logs with PowerShell

Use the Get-EventLog cmdlet in PowerShell to pinpoint problems among thousands of entries in Windows logs, on both local and remote systems.

In addition to its automation capabilities, PowerShell helps the IT staff troubleshoot problems with Windows, specifically...

when they need to find errors in the Windows event logs. PowerShell parses logs and has a few more advantages over the numerous third-party tools at administrators' disposal. Microsoft includes PowerShell for free with Windows, which gives it a cost advantage over other vendors' products. Also, PowerShell connects deeply with the OS to provide many options to filter logs and query across multiple systems simultaneously.

Get-EventLog is the primary cmdlet administrators utilize to manage Windows event logs. This cmdlet shows the log's contents with the -LogName parameter, followed by the name of the desired log file.

Log files can get large, but this cmdlet cuts results down to more easily reveal relevant events.

Use this command to show a summary of available log files:

Get-EventLog -List

PowerShell returns the log names and the number of events in each. Let's focus on the Application log, which can contain several thousand entries. This command displays the Application log events:

Get-EventLog -LogName "Application"

The command output shows the log file's full contents, which is not helpful. To filter the results, use this example to show the 10 most recent entries:

Get-EventLog -LogName "Application" -Newest 10

Next, take the command a step further, and find the 10 most recent errors with the -EntryType parameter:

Get-EventLog -LogName "Application" -EntryType "Error" -Newest 10

PowerShell also finds specific error occurrences. Find the 10 most recent instances of event 7670 -- an issue related to SQL Server database access -- with this command:

Get-EventLog -LogName "Application" -Index 7670 -Newest 10

Event 7670 often accompanies several other SQL Server events, such as 7671 or 7673. PowerShell specifies a range of event IDs rather than a single event ID. Let's say you're interested in event IDs 7670, 7671, 7672 and 7673. Use this command to view the 10 most recent SQL Server-related errors with those event IDs in the Application log:

Get-EventLog -LogName "Application" -Index(7670..7673) -Newest 10

Alternatively, the command to list SQL errors -- which varies based on the SQL Server version -- resembles this:

Get-EventLog -LogName "Application" -EntryType "Error" -Source "SQLLocalDB 11.0" -Newest 10

How to check logs on remote machines

PowerShell also filters log events on Windows systems across the network. The administrator must specify the -ComputerName parameter, followed by the NetBIOS name, fully qualified domain name or the target system's IP address.

To show results from several computers, store the computer names in a variable, and then use a ForEach loop. If the server names are Server1, Server2 and Server3, for example, use these commands to query each server:

$Computers='Server1','Server2','Server3'

ForEach($Computer in $Computers){Get-EventLog -ComputerName $Computer -LogName "Application" -Newest 10}

The output does not list the name of the server with the event. To adjust this, customize the results: Append the pipe symbol, followed by the Select-Object cmdlet and the fields to display. The valid field names are EventID, MachineName, Data, Index, Category, CategoryNumber, EntryType, Message, Source, ReplacementStrings, InstanceID, TimeGenerated, TimeWritten, UserName, Site and Container.


How to parse event log
message field with PowerShell

This command returns the server name, event ID, time and description:

$Computers='Server1','Server2','Server3'

ForEach($Computer in $Computers){Get-EventLog -ComputerName $Computer -LogName "Application" -Newest 10} | Select-Object MachineName, EventID, TimeGenerated, Message

These are just a few methods to parse Windows event logs with Get-EventLog. Microsoft provides an extensive list of other ways this cmdlet helps administrators troubleshoot Windows systems.

Next Steps

PowerShell commands to troubleshoot Exchange Server

Implement PowerShell's piping capabilities to build scripts

PowerShell Gallery offers easy access to scripts

This was last published in September 2017

Dig Deeper on Windows PowerShell Scripting

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What PowerShell event log filtering techniques do you use?
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchEnterpriseDesktop

SearchVirtualDesktop

Close