I’m not a programmer and I have never wanted to be one. I grudgingly began learning PowerShell because it was the way of the future for Windows Systems Administration (Server Core, anyone?) From the first time I executed the Get-EventLog command, I was hooked on PowerShell. The Event Viewer in Windows is slow, I mean really slow, so when I executed the Get-EventLog command for the first time, I was amazed by how fast it ran. When I explored the options for filtering and exporting the results of Get-EventLog, I realized how powerful this command is.
The basic syntax for Get-EventLog is:
Get-EventLog -LogName <logname>
You can find out which logs you have by using
Get-EventLog -List (System, Security, PowerShell, etc.)
-Newest <number> option, you can limit the output to a specific number of entries. You can also limit the time frame by using
-Before <date> and
Get-EventLog -LogName Security -newest 100
Get-EventLog -LogName system -EntryType error -After '1/17/2020 08:00:00' -Before '1/17/2020 17:00:00'
Options for filtering include
-EntryType (Error, Information, etc.),
-Message (to search for text in the message). You can also look for the source of a message (such as Outlook) with the
Get-EventLog -LogName Security -EntryType FailureAudit -Newest 100
As with most PowerShell commands, you can use the -ComputerName option to view event logs on other Windows systems.
Get-EventLog -LogName System -ComputerName Server01, Server02, Server03
Finally, one of the best things about the Get-EventLog command is that you can pipe the results to different types of files.
ConvertTo-Csv is useful since Excel is one of my favorite tools. You can also output the results to Json (
ConvertTo-Json), XML (
ConvertTo-XML), or HTML (
Get-EventLog -LogName System | Select-Object -Property timegenerated, username, message | Export-Csv <path>
For more details, see the Microsoft help for Get-EventLog: