geometrix - Fotolia
Filter and query Windows event logs with PowerShell
Use the Get-EventLog cmdlet in PowerShell to pinpoint problems among thousands of entries in Windows logs, on both local and remote systems.
In addition to its automation capabilities, PowerShell helps the IT staff troubleshoot problems with Windows, specifically when they need to find errors in the Windows event logs. PowerShell parses logs and has a few more advantages over the numerous third-party tools at administrators' disposal. Microsoft includes PowerShell for free with Windows, which gives it a cost advantage over other vendors' products. Also, PowerShell connects deeply with the OS to provide many options to filter logs and query across multiple systems simultaneously.
Get-EventLog is the primary cmdlet administrators utilize to manage Windows event logs. This cmdlet shows the log's contents with the -LogName parameter, followed by the name of the desired log file.
Log files can get large, but this cmdlet cuts results down to more easily reveal relevant events.
Use this command to show a summary of available log files:
Get-EventLog -List
PowerShell returns the log names and the number of events in each. Let's focus on the Application log, which can contain several thousand entries. This command displays the Application log events:
Get-EventLog -LogName "Application"
The command output shows the log file's full contents, which is not helpful. To filter the results, use this example to show the 10 most recent entries:
Get-EventLog -LogName "Application" -Newest 10
Next, take the command a step further, and find the 10 most recent errors with the -EntryType parameter:
Get-EventLog -LogName "Application" -EntryType "Error" -Newest 10
PowerShell also finds specific error occurrences. Find the 10 most recent instances of event 7670 -- an issue related to SQL Server database access -- with this command:
Get-EventLog -LogName "Application" -Index 7670 -Newest 10
Event 7670 often accompanies several other SQL Server events, such as 7671 or 7673. PowerShell specifies a range of event IDs rather than a single event ID. Let's say you're interested in event IDs 7670, 7671, 7672 and 7673. Use this command to view the 10 most recent SQL Server-related errors with those event IDs in the Application log:
Get-EventLog -LogName "Application" -Index(7670..7673) -Newest 10
Alternatively, the command to list SQL errors -- which varies based on the SQL Server version -- resembles this:
Get-EventLog -LogName "Application" -EntryType "Error" -Source "SQLLocalDB 11.0" -Newest 10
How to check logs on remote machines
PowerShell also filters log events on Windows systems across the network. The administrator must specify the -ComputerName parameter, followed by the NetBIOS name, fully qualified domain name or the target system's IP address.
To show results from several computers, store the computer names in a variable, and then use a ForEach loop. If the server names are Server1, Server2 and Server3, for example, use these commands to query each server:
$Computers='Server1','Server2','Server3'
ForEach($Computer in $Computers){Get-EventLog -ComputerName $Computer -LogName "Application" -Newest 10}
The output does not list the name of the server with the event. To adjust this, customize the results: Append the pipe symbol, followed by the Select-Object cmdlet and the fields to display. The valid field names are EventID, MachineName, Data, Index, Category, CategoryNumber, EntryType, Message, Source, ReplacementStrings, InstanceID, TimeGenerated, TimeWritten, UserName, Site and Container.
How to parse event log
message field with PowerShell
This command returns the server name, event ID, time and description:
$Computers='Server1','Server2','Server3'
ForEach($Computer in $Computers){Get-EventLog -ComputerName $Computer -LogName "Application" -Newest 10} | Select-Object MachineName, EventID, TimeGenerated, Message
These are just a few methods to parse Windows event logs with Get-EventLog. Microsoft provides an extensive list of other ways this cmdlet helps administrators troubleshoot Windows systems.
Join the conversation
1 comment