Manage

Filter and query Windows event logs with PowerShell

Use the Get-EventLog cmdlet in PowerShell to pinpoint problems among thousands of entries in Windows logs, on both local and remote systems.

In addition to its automation capabilities, PowerShell helps the IT staff troubleshoot problems with Windows, specifically...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

when they need to find errors in the Windows event logs. PowerShell parses logs and has a few more advantages over the numerous third-party tools at administrators' disposal. Microsoft includes PowerShell for free with Windows, which gives it a cost advantage over other vendors' products. Also, PowerShell connects deeply with the OS to provide many options to filter logs and query across multiple systems simultaneously.

Get-EventLog is the primary cmdlet administrators utilize to manage Windows event logs. This cmdlet shows the log's contents with the -LogName parameter, followed by the name of the desired log file.

Log files can get large, but this cmdlet cuts results down to more easily reveal relevant events.

Use this command to show a summary of available log files:

Get-EventLog -List

PowerShell returns the log names and the number of events in each. Let's focus on the Application log, which can contain several thousand entries. This command displays the Application log events:

Get-EventLog -LogName "Application"

The command output shows the log file's full contents, which is not helpful. To filter the results, use this example to show the 10 most recent entries:

Get-EventLog -LogName "Application" -Newest 10

Next, take the command a step further, and find the 10 most recent errors with the -EntryType parameter:

Get-EventLog -LogName "Application" -EntryType "Error" -Newest 10

PowerShell also finds specific error occurrences. Find the 10 most recent instances of event 7670 -- an issue related to SQL Server database access -- with this command:

Get-EventLog -LogName "Application" -Index 7670 -Newest 10

Event 7670 often accompanies several other SQL Server events, such as 7671 or 7673. PowerShell specifies a range of event IDs rather than a single event ID. Let's say you're interested in event IDs 7670, 7671, 7672 and 7673. Use this command to view the 10 most recent SQL Server-related errors with those event IDs in the Application log:

Get-EventLog -LogName "Application" -Index(7670..7673) -Newest 10

Alternatively, the command to list SQL errors -- which varies based on the SQL Server version -- resembles this:

Get-EventLog -LogName "Application" -EntryType "Error" -Source "SQLLocalDB 11.0" -Newest 10

How to check logs on remote machines

PowerShell also filters log events on Windows systems across the network. The administrator must specify the -ComputerName parameter, followed by the NetBIOS name, fully qualified domain name or the target system's IP address.

To show results from several computers, store the computer names in a variable, and then use a ForEach loop. If the server names are Server1, Server2 and Server3, for example, use these commands to query each server:

$Computers='Server1','Server2','Server3'

ForEach($Computer in $Computers){Get-EventLog -ComputerName $Computer -LogName "Application" -Newest 10}

The output does not list the name of the server with the event. To adjust this, customize the results: Append the pipe symbol, followed by the Select-Object cmdlet and the fields to display. The valid field names are EventID, MachineName, Data, Index, Category, CategoryNumber, EntryType, Message, Source, ReplacementStrings, InstanceID, TimeGenerated, TimeWritten, UserName, Site and Container.

How to parse event log
message field with PowerShell

This command returns the server name, event ID, time and description:

$Computers='Server1','Server2','Server3'

ForEach($Computer in $Computers){Get-EventLog -ComputerName $Computer -LogName "Application" -Newest 10} | Select-Object MachineName, EventID, TimeGenerated, Message

These are just a few methods to parse Windows event logs with Get-EventLog. Microsoft provides an extensive list of other ways this cmdlet helps administrators troubleshoot Windows systems.

Next Steps

PowerShell commands to troubleshoot Exchange Server

Implement PowerShell's piping capabilities to build scripts

PowerShell Gallery offers easy access to scripts

This was last published in September 2017

Dig Deeper on Windows administration tools

All
News
Get Started
Evaluate
Manage
Problem Solve

Brien Posey asks:

What PowerShell event log filtering techniques do you use?

Join the Discussion

How to check logs on remote machines

Next Steps

Related Resources

Dig Deeper on Windows administration tools

Join the conversation

1 comment

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.