The cmdlet to use for searching the event logs is get-eventlog. For the full help file from PowerShell, enter the following
help Get-EventLog -Full
The get-eventlog cmdlet uses the switch -LogName. This is used to specify the event log you want to search, eg System, Application etc.
To get a list of available event logs, enter
Get-EventLog -List
or
Get-EventLog -LogName *
You can then list all events from that event log with the command Get-EventLog -LogName LogName
Eg,
Get-EventLog -LogName System
This will return everything from the event log, probably hundreds or even thousands of events, so the next job is to filter for the events you are interested in.
We can examine an individual event log to get an idea of how to filter
Get-EventLog -LogName System -Newest 1
This command will return the most recent System event log
The information displayed is a subset of the complete data available for this event log. PowerShell will automatically select the columns to display so that it fits easily on the screen. To see everything, we need to pipe the output to the format-list cmdlet.
Get-EventLog -LogName System -Newest 1 | Format-List -Property *
This command returns all the properties and values for this event log
Now you can see all the familiar properties of the event, such as EventID, EntryType, Time Written etc. I can now filter my result based on one or more of these properties.
For example,
show all events where the message contains "the service entered the stopped state"
show all events where the event id equals 41 and the date is 10 Jan 2015
show all events where the EntryType is error, the source is Asp.Net or .Net runtime and the date is between 01 Jan - 10 Jan 2015
All of this is achieved by piping the results of get-eventlog to the where-object cmdlet
Get-EventLog -LogName System | Where-Object { $_.Message -like "*the service entered the stopped state*" }
In this example you can see that I have used the Message property of the event and the -like operator to match it to the text I am looking for.
Get-EventLog -LogName System | Where-Object { $_.EventID -eq 41 -and $_.TimeWritten -like "01/14/2015*" }
In this example you can see that I have used the EventID and TimeWritten properties of the event
$_.EventID -eq 41
$_.TimeWritten -like "01/14/2015*"
The -and operator links these two properties together
Get-EventLog -LogName System -After (Get-Date -Date '1/1/2015') -Before (Get-Date -Date '10/1/2015') | Where-Object { $_.EntryType -eq "Error" -and ($_.Source -like "Asp.Net*" -or $_.Source -like ".net runtime*") }
In this example I use the date property of the get-eventlog results to filter the events before passing them to the where-object cmdlet. This is done using the -before and -after switches. After that, the where-object command is used in the same way as the previous examples.
The only difference is the two $_.Source properties are surround by brackets (). This is necessary so that the -or operator applies to only those two entries. I could add more $_.Source properties inside the brackets with additional -or operators if I wanted to increase this list beyond 2.
Understanding the PowerShell operators is key to getting the results you want, this link contains useful information about operators
http://technet.microsoft.com/en-gb/library/hh847759.aspx
Finally, you can export your results using any of PowerShell's export commands. I find export-csv works well:
Get-EventLog -LogName System | Where-Object { $_.Message -like "*the service entered the stopped state*" } | Export-Csv C:\scripts\events.csv
