Latest posts by Luc Fullenwarth (see all)
- Clean up orphaned Foreign Security Principals - Fri, Oct 20 2017
- Fast event log search in PowerShell with the FilterHashtable parameter - Thu, Sep 21 2017
- Parse log files with PowerShell - Tue, Aug 8 2017
In my last article, I showed you how to search the Windows Event Log with Get-WinEvent. That's where you usually spot most of the pertinent messages. However, sometimes you also need to reference log files in textual format. For example, this is the case for the Windows Update log or the Firewall log.
Displaying the content of a log file ^
The Get-Content cmdlet can be useful in many situations, such as when displaying text or log files.
For instance, the following command line displays the whole content of the httperr1.log file.
Get-Content -Path C:\Windows\System32\LogFiles\HTTPERR\httperr1.log
Displaying long log files ^
Some log files are very long, and if you want to display them one page at a time, just pipe the content to the Out-Host cmdlet along with the -Paging parameter.
Please note that this option is not available in the Integrated Scripting Environment (ISE) console.
For example, the following command displays the Windows Server Update Services (WSUS) SoftwareDistribution log one page at a time.
Get-Content -Path 'C:\Program Files\Update Services\LogFiles\SoftwareDistribution.log' |Out-Host –Paging
Displaying only the end of a log file ^
However, usually the last lines are the most relevant ones because they contain either the global success messages or fatal errors. Thus, it's sometimes useful to view only the final lines of log files.
For instance, the following command displays the last 50 lines of the Deployment Image Servicing and Management (DISM) log file.
Get-Content -Path C:\Windows\Logs\DISM\dism.log -Tail 50
Because some services write continuously to a log file, you may want to display new lines as soon as they appear. That's exactly the purpose of the -Wait parameter.
In this case, Get-Content continues to wait for new lines and displays them on the fly until you hit Ctrl+C.
Please note that Get-Content still continues to wait for new lines even when the process or service writing to the file has already stopped.
In the next example, the command line displays the last five lines of the WindowsUpdate.log and waits for additional lines to display.
Get-Content -Path C:\Windows\WindowsUpdate.log -Tail 5 –Wait
There's a blinking underscore on that last screen. This means the cmdlet is waiting for new lines to display.
Displaying only specific lines ^
In some cases, you may want to display only lines containing specific words.
If you want to search for packets the firewall has dropped, you can use the command below. This searches all lines from the firewall log containing the word "Drop" and displays only the last 20 lines.
Select-String -Path C:\Windows\System32\LogFiles\Firewall\pfirewall.log ‑Pattern 'Drop' | Select-Object -Last 20
Fortunately, the -Pattern parameter accepts arrays as input, and you can provide several patterns to search. All patterns are processed with the logical OR operator.
For instance, the following command displays lines containing the word "error" or the word "warning" from the Windows Update agent log file.
Select-String -Path C:\Windows\WindowsUpdate.log -Pattern 'error','warning'
Displaying only specific lines inside their context ^
Sometimes you may also want to know in which context the pattern appears.
For this purpose, Select-String has another interesting parameter named -Context, which shows you the lines before and after the string matching the pattern.
The following command searches for lines with the word "err" preceded and followed by a space. It also displays the three lines before and after every match from the cluster log file.
Select-String C:\Windows\Cluster\Reports\Cluster.log -Pattern ' err ' ‑Context 3
The last screenshot shows that the line containing the pattern starts with a greater than symbol. But you can also see that the Select-String cmdlet displays the line number of the log file for each hit.
Thus, if you spotted a specific line in the midst of log file, you can display only the context for this specific line by using the Get-Content cmdlet and piping the result to the Select-Object cmdlet associated with the First and Skip parameters.
For instance, the following command line displays lines 45 to 75 from the netlogon.log file.
Get-Content C:\Windows\debug\netlogon.log |Select-Object -First 30 -Skip 45
Opening a remote file ^
With all of that, if you still want to open the log file in a GUI, you can run PSEdit in a PSSession. This command directly opens the file without the need to download it locally first.
Please note that PSEdit is only available in the ISE console.
For example, the following command line downloads and opens the log file of the default IIS website.