Use PowerShell to search Windows Event Logs

PowerShell is an excellent tool for searching through Windows event logs. I find myself using it more and more these days as it enables me to find the information I need much quicker than using the filter feature of the Event Viewer snap in.

The cmdlet to use for searching the event logs is get-eventlog. For the full help file from PowerShell, enter the following

help Get-EventLog -Full

The get-eventlog cmdlet uses the switch -LogName. This is used to specify the event log you want to search, eg System, Application etc.

To get a list of available event logs, enter

Get-EventLog -List

or

Get-EventLog -LogName *

 

You can then list all events from that event log with the command Get-EventLog -LogName LogName
Eg,

Get-EventLog -LogName System

This will return everything from the event log, probably hundreds or even thousands of events, so the next job is to filter for the events you are interested in.

We can examine an individual event log to get an idea of how to filter

Get-EventLog -LogName System -Newest 1

This command will return the most recent System event log
 

The information displayed is a subset of the complete data available for this event log. PowerShell will automatically select the columns to display so that it fits easily on the screen. To see everything, we need to pipe the output to the format-list cmdlet.

Get-EventLog -LogName System -Newest 1 | Format-List -Property *
This command returns all the properties and values for this event log

Now you can see all the familiar properties of the event, such as EventID, EntryType, Time Written etc. I can now filter my result based on one or more of these properties.

For example,
show all events where the message contains "the service entered the stopped state"
show all events where the event id equals 41 and the date is 10 Jan 2015
show all events where the EntryType is error, the source is Asp.Net or .Net runtime and the date is between 01 Jan - 10 Jan 2015

All of this is achieved by piping the results of get-eventlog to the where-object cmdlet

Get-EventLog -LogName System | Where-Object { $_.Message -like "*the service entered the stopped state*" }

In this example you can see that I have used the Message property of the event and the -like operator to match it to the text I am looking for.


Get-EventLog -LogName System | Where-Object { $_.EventID -eq 41 -and $_.TimeWritten -like "01/14/2015*" }
In this example you can see that I have used the EventID and TimeWritten properties of the event
$_.EventID -eq 41
$_.TimeWritten -like "01/14/2015*"

The -and operator links these two properties together


Get-EventLog -LogName System -After (Get-Date -Date '1/1/2015') -Before (Get-Date -Date '10/1/2015') | Where-Object { $_.EntryType -eq "Error" -and ($_.Source -like "Asp.Net*" -or $_.Source -like ".net runtime*") }

In this example I use the date property of the get-eventlog results to filter the events before passing them to the where-object cmdlet. This is done using the -before and -after switches. After that, the where-object command is used in the same way as the previous examples.

The only difference is the two $_.Source properties are surround by brackets (). This is necessary so that the -or operator applies to only those two entries. I could add more $_.Source properties inside the brackets with additional -or operators if I wanted to increase this list beyond 2.

Understanding the PowerShell operators is key to getting the results you want, this link contains useful information about operators
http://technet.microsoft.com/en-gb/library/hh847759.aspx

Finally, you can export your results using any of PowerShell's export commands. I find export-csv works well:

Get-EventLog -LogName System | Where-Object { $_.Message -like "*the service entered the stopped state*" } | Export-Csv C:\scripts\events.csv