Use PowerShell to Query All Event Logs for Recent Events

Use PowerShell to Query All Event Logs for Recent Events

  • Comments 6
  • Likes

Summary: Learn how to use Windows PowerShell to easily query all event logs for recent events.

It is raining outside in Seattle, Washington. I suppose that might not be news to most people, but then I am not from Seattle. In fact, the last time I was out here to teach a Windows PowerShell class to a group of Microsoft network engineers, it was beautiful, sunny, and a bit cool. The sky was a deep blue. One of my students told me that it is always like that here in Seattle, and that the reputation for rain is something they only perpetuate to keep the tourists away. Alas, it seems that is not necessarily the case.

The Scripting Wife and I are out here for two reasons. The first reason is the Microsoft MVP Summit that has been going on all week. The second is for me to teach a Windows PowerShell class to another group of Microsoft engineers. Both reasons are excellent reasons to jump into a plane and fly to Seattle. Besides, I was getting tired of the sunny weather back in Charlotte, North Carolina. I mean, my next-door neighbor was mowing his grass. Give me cold, cloudy, rainy weather any time if it means not mowing the grass.

This has made for an all Windows PowerShell all the time kind of week. It began with breakfast with Microsoft MVPs, Kirk Munro and Shane Hoey, and it ended with me teaching a four-day class. In the intervening time, there was a Scripting Guys booth at the TechNet/MSDN open house, and various evening events with the product group and MVPs. It has been a tremendously invigorating week. Everywhere I went people were talking about Windows PowerShell.

On the first day of class, I began by explaining that Windows PowerShell is both an interactive console and a scripting language. In the purest sense, a Windows PowerShell script is simply a collection of Windows PowerShell commands that one saves with a .ps1 file extension. In this regard, there is absolutely no difference between typing commands interactively and saving the same commands in a file. In fact, on many occasions, my Windows PowerShell commands morph into a Windows PowerShell command.

I showed the class an example of using the Get-WinEvent Windows PowerShell cmdlet. The command to list all of the classic event logs and the ETL diagnostic logs are shown here.

Get-WinEvent -ListLog * -EA silentlycontinue

The output from the above command is shown in the following image.

Image of command output

After I have a listing of all of the logs, both classic and ETL, I can use the list and query all of the logs’ recent entries. When I showed the class the command that is shown here, I was nearly awarded a standing ovation.

Get-WinEvent -ListLog * -EA silentlycontinue |

where-object { $_.recordcount -AND $_.lastwritetime -gt [datetime]::today} |

Foreach-Object { get-winevent -LogName $_.logname -MaxEvents 1 }

In this code, the Get-WinEvent cmdlet retrieves all of the event logs. The EA is an alias for the ErrorAction parameter. The value SilentlyContinue for the ErrorAction parameter tells Windows PowerShell to hide any non-terminating errors and to continue processing commands. This causes Windows PowerShell to skip any logs that my currently logged on, non-elevated profile does not have access to read. The Where-Object cmdlet receives the resulting collection of event logs via the Windows PowerShell pipeline. The filter used for the Where-Object cmdlet looks for event logs that have at least one event contained in the log ($_.recordcount). In addition, (-AND) the filter looks for a lastwritetime property that is greater than (-gt) midnight today ([datetime]::today). The Foreach-Object cmdlet processes the collection of event logs that have records written today, by retrieving the most recent event from the log. The output from the previous command is shown in the following image.

Image of command output

The previous command, although interesting, is not extremely informative because the provider name is truncated, as is the actual event message. To combat these twin problems, I modified the command by sending it to the Format-Table cmdlet. The revised command is shown here.

Get-WinEvent -ListLog * -EA silentlycontinue |

where-object { $_.recordcount -AND $_.lastwritetime -gt [datetime]::today} |

foreach-object { get-winevent -LogName $_.logname -MaxEvents 1 } |

Format-Table TimeCreated, ID, ProviderName, Message -AutoSize –Wrap

When I ran this command for the class, there were audible cheers. The results from the “award winning” command are shown here.

Image of command output

By experimenting with this code, one can quickly create a customized solution to enable efficient processing of event log data. Additionally, the ComputerName parameter permits easy access to event logs on remote machines.

This is one reason I love teaching Windows PowerShell classes—simple solutions arise to previously vexatious problems.

Well, I need to get back to class—I just wanted to share this with you. Have an awesome day.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hello,

    I'm very beginner of PowerShell and so I tried, inspired by this example, to get all the event generated by LANDESK in the application event log today:

    Get-WinEvent -Logname Application  -EA silentlycontinue |

    where-object { $_.providername.ToLower().contains("landesk") -AND $_.timecreated -gt [datetime]::today}

    It seems to work well but it is so slow and CPU demanding...

    Am I missing something ?

    Thanks

    Marco S. Zuppone

  • Marco, you are working to hard with this example... :)

    Try to use -match 'landesk' or -like '*landesk*':

    Get-WinEvent -LogName Application -EA 0 | where-object {

       $_.providerName -match 'landesk' -and $_.TimeCreated -gt [datetime]::today

    }

  • @marco To improve the effeciency of your query, there are a number of things you can do. The best thing is to use a filter directly on Get-WinEvent. I have written about this in the past on the Hey Scripting Guy blog. As @Bartek points out, there is no need to send your provider name to lower case, because matching by default is not case sensitive. See tommorow's (3/8/2011) Hey Scripting Guy blog and I will talk in more detail about filtering of the event log, and performance implications. @marco -- I also got your email to Scripter@Microsoft.Com ...

  • So I gave the following a try annd got a strange error. At least strange for me, I've been using powershell for about 13 minutes.

    Clear-host

    Get-WinEvent -ListLog * -EA silentlycontinue -ComputerName EDUPTCIIS010 |

    where-object { $_.recordcount -AND $_.lastwritetime -gt [datetime]::today} |

    foreach-object { get-winevent -LogName $_.logname -MaxEvents 1 } |

    Format-Table TimeCreated, ID, ProviderName, Message -AutoSize –Wrap

    And the error:

    Get-WinEvent : There are no more endpoints available from the endpoint mapper

    At line:3 char:13

    + Get-WinEvent <<<<  -ListLog * -EA silentlycontinue -ComputerName EDUPTCIIS010 |

       + CategoryInfo          : NotSpecified: (:) [Get-WinEvent], EventLogException

       + FullyQualifiedErrorId : System.Diagnostics.Eventing.Reader.EventLogException,Microsoft.PowerShell.Commands.GetWinEventCommand

  • Just wanted to set the record straight, your experience of Seattle was typical.  The area has an average of 260 days of overcast weather a year.  While overcast isn't the same as raining it does give the impression that it's constantly raining.  When it's sunny it is spectacular.  And yes, we do perpetuate the notion that it is always raining to keep tourists away.

  • Hi.

    I need to be able to view all the event logs from the past 2 weeks. Please can you show me how i can incorporte that into

    get-spserviceapplication |

    im not sure how to enter it into powershell to only show me the events for the last 2 weeks?

    n e help woud be great thanks.