Search the event log with the Get-WinEvent PowerShell cmdlet

Home Blog Search the event log with the Get-WinEvent PowerShell cmdlet

4sysops - The online community for SysAdmins and DevOps

    , ,   7
Searching in the event log is one of the most common tasks of a system administrator. With the help of the Get-WinEvent PowerShell cmdlet, you can easily display the Windows events that interest you.
Contents
  1. All available logs
  2. Events of a specific event log
  3. All events one page at a time
  4. A limited number of events
  5. Specific events using a hash table
  6. Display only events with a specific ID
  7. Events with a specific information level
  8. Audit success or audit failure security events
  9. Events with messages containing specific words
  10. Events with a specific date or time
  11. The whole message
  12. A specific event
Latest posts by Luc Fullenwarth (see all)

All available logs

In most cases, you will want to restrict your search to a specific log. To find a log name, you can use the ListLog parameter together with the wildcard character. The command below lists all available logs. Note that you have to run the command in a PowerShell console with administrator privileges to access logs.

Get-WinEvent -ListLog *
Displaying all logs

Displaying all logs

If you remember a specific word, just put it between two wildcards. For instance, the following command lists all logs with the term "powershell" in the path:

Get-WinEvent -ListLog *powershell*

Events of a specific event log

Once you've found the event log you want to parse, use the LogName parameter. For example, the following command lists all events from the System log:

Get-WinEvent -LogName 'System'

As you probably know, Windows organizes log files in a hierarchical tree structure. Thus, if you want to query logs that are not at the root of the tree, you must specify the whole path. For instance, if you want to list all events from the PowerShell Operational log, use the following command:

Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational'

That's useful, but displaying all events often delivers too much information at the same time. Let's see how to cope with that.

All events one page at a time

The Out-Host cmdlet associated with the Paging parameter is what you need here. The following example pipes the result of the Get-WinEvent cmdlet to the Out-Host cmdlet, which is in charge of displaying it one page at a time:

Get-WinEvent -LogName 'System' | Out-Host -Paging

Unfortunately, the Out-Host cmdlet does not work in the Integrated Scripting Environment (ISE) console. On the other hand, usually you don't need to display all events, and you will only focus on the most recent ones.

A limited number of events

By using the MaxEvents parameter, you will only display the selected number of the most recent events. For instance, the command below displays only the 20 most recent events from the System log:

Get-WinEvent -LogName 'System' -MaxEvents 20

Please note that you can combine this parameter with all other parameters of the Get-WinEvent cmdlet.

Specific events using a hash table

Get-WinEvent has a special parameter that allows passing some predefined filter values through a hash table. Note that you have to provide at least the log name. All other values depend on what you are searching for. For example, if you want to display all events from the System log, you can use this command:

Get-WinEvent -FilterHashTable @{LogName='System'}

Display only events with a specific ID

To display only events matching a specific ID, you need to provide another key/value pair with ID as the key and the specified ID as the value. In the next example, the command displays all events with ID 1020 from the System log:

Get-WinEvent -FilterHashTable @{LogName='System';ID='1020'}

If you want to select several event IDs, just separate the different values by a comma. For instance, the next command displays all events from the System log matching ID 1 or 42:

Get-WinEvent -FilterHashTable @{LogName='System';ID='1','42'}

Events with a specific information level

You must provide the information level with Level as the key and a Number as the value. Here is a list of levels associated with their respective numbers:

  • LogAlways 0
  • Critical 1
  • Error 2
  • Warning 3
  • Informational 4
  • Verbose 5

The following command displays all error events from the System log:

Get-WinEvent -FilterHashTable @{LogName='System';Level='2'}

Unfortunately, you can only specify one level at a time through a hash table. However, we can circumvent this problem by using the Where-Object cmdlet instead of the Level key from the hash table.

The next command will display all events from the System log that match the Error and Warning levels:

Get-WinEvent -FilterHashtable @{LogName='system'} | Where-Object -FilterScript {($_.Level -eq 2) -or ($_.Level -eq 3)}
Searching all events with error and warning levels

Searching all events with error and warning levels

Audit success or audit failure security events

Filtering events from the Security log is a bit different from other logs because it does not provide the information level. Instead you can search for audit failure or audit success events. You must provide this filter with the Keywords key in the hash table, and the value must be a number. Here are the two audit keywords associated with their respective numbers:

  • Failure Audit 4503599627370496
  • Success audit 9007199254740992

The command below displays all audit failure events from the Security log:

Get-WinEvent -FilterHashtable @{LogName='Security';Keywords='4503599627370496'}

Please note that in order to be able to get events from the Security log, the Get-WinEvent cmdlet must be run from inside an elevated command prompt.

Events with messages containing specific words

To display only events with messages containing a specific word, you could use the Data key. However, this is a little tricky, especially because you can't work with wildcards or regular expressions. The easiest way to find events with a specific word is to use the Where-Object cmdlet and filter events with the Message property.

The next example displays all events containing the phrase "the system has resumed" from the System log:

Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'the system has resumed'

Events with a specific date or time

You can display events with a specific date or time with the help of the StartTime key and/or the EndTime key inside the hash table. Although there are several possibilities to provide the StartTime and EndTime values, I will only show the simplest way. The first step is to store the timestamp returned by the Get-Date cmdlet into a variable.

The following command stores "2017 January 1st at 15:30" into a $StartTime variable:

$StartTime=Get-Date -Year 2017 -Month 1 -Day 1 -Hour 15 -Minute 30

And the next command stores "2017 February 15th at 20:00" into $EndTime:

$EndTime=Get-Date -Year 2017 -Month 2 -Day 15 -Hour 20 -Minute 00

The second step is to specify the StartTime and/or EndTime keys in the hash table. The following example uses the variables we created above to display only System events generated between these two dates:

Get-WinEvent -FilterHashtable @{LogName='System';StartTime=$StartTime;EndTime=$EndTime}

Note that we provide variables (like $StartTime) without single quotes.

You can also combine several keys in the hash table. The next example displays the five most recent Error events from the System log, generated after a specified date with the ID 10010:

Get-WinEvent -FilterHashtable @{LogName='System';StartTime=$StartDate;Level='2';ID='10010'} -MaxEvents 5

Please note that if you use the MaxEvents parameter, it always has to stay outside the hash table.

The whole message

While the default display format (as a table) is useful to give an overview of all selected events, the event message is usually truncated. In this case, you can just pipe the result to the Format-List cmdlet:

Get-WinEvent -LogName System -MaxEvents 5 | Format-List
Displaying the entire event log

Displaying the entire event log

A specific event

Sometimes, when you get a big list of events, you just want display one event located in the midst of all other events. The trick here is to display them and then use an additional property containing the record number of every event. This record number is a unique identifier for each event.

The first step is to use the Format-Table cmdlet and specify the RecordId property in addition to all other properties. For example, the next command displays the RecordId property as the first column:

Get-WinEvent -FilterHashtable @{LogName='Security';Keywords='4503599627370496'} | Format-Table -Property RecordId,TimeCreated,ID,LevelDisplayName,Message

The second step is to launch the Get-WinEvent cmdlet again and pipe the result to the Where-Object cmdlet while specifying the RecordId number:

Subscribe to 4sysops newsletter!

Get-WinEvent -FilterHashtable @{LogName='Security'} |Where-Object ‑Property RecordId -eq 810

As you can notice, in the second step you just need to provide the LogName, because filtering by RecordId is sufficient.

avataravatar
Related Articles
7 Comments
  1. jkavanagh58 6 years ago

    Since I just worked with a client on an effort to filter the eventlog, one oft-ignored data point with get-eventlog is the ReplacementStrings object. IMHO

    Reply
    • Author
      Luc Fullenwarth (Rank 4) 6 years ago

      @jkavanagh58,

      The equivalent for ReplacementStrings with Get-WinEvent is the Data key.
      However, this one is a little tricky and I have in mind to write another dedicated post about this topic if some people are interested in.

      Reply
      • jkavanagh58 6 years ago

        Understood. I like
        (get-eventlog -LogName Security -after ((get-date).AddDays(-1))).where{$_.InstanceID -eq “4624” -Or $_.InstanceID -eq “4634” -and $_.ReplacementStrings[8] -eq “10”}

        (get-eventlog -LogName Security -after ((get-date).AddDays(-1))).where{$_.InstanceID -eq "4624" -Or $_.InstanceID -eq "4634" -and $_.ReplacementStrings[8] -eq "10"}

        Reply
  2. Susan Nicosia 4 years ago

    What if you wanted to collect  logs for a number of different log id ..over 100 different EventIDs

    Reply
  3. Fred 4 years ago

    >>Unfortunately, you can only specify one level at a time through a hash table.<<

    Level=1,2,3

    You can specify an array.

    Reply
  4. DARRELL 4 years ago

    How would you use that to go about filtering out DFS Replication warning and information logs? For example, 

    Let's say we see event id 5002 in the DFS Replication log with a message of "The DFS Replication service encountered an error communicating with partner ***** for replication group Domain System Volume." 

    The corresponding event id 5004 "The DFS Replication service successfully established an inbound connection with partner ***** for replication group Domain System Volume." indicates that the issue has resolved itself as long as the partner ***** name matches the same name as the 5002 event message.

    I would need to see only events 5002 that do not have a corresponding 5004 after the 5002.

    Reply
  5. nikko 4 years ago

    How can u filter log 42 and 6008 for 5 days only . Ex: when i run it today it will display Nov 1 to Nov 5.

    Thanks

    Reply

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account