Поделиться через


Using the Get-Eventlog Cmdlet

Managing Event Logs and Event Log Events

The Get-EventLog cmdlet actually serves two purposes: it enables you to manage your event logs, and it also enables you to get at the events contained within those event logs.

For example, suppose you’d like some basic information about the event logs on your computer. In that case, make sure you include the -list parameter when calling Get-EventLog:

Get-EventLog -list

In return, you’ll get back information similar to this:

Max(K) Retain OverflowAction        Entries Name
  ------ ------ --------------        ------- ----
  15,168      0 OverwriteAsNeeded       5,279 Application
     512      7 OverwriteOlder            145 Credential Manager
     512      7 OverwriteOlder             12 MNP Toc Editor
  15,360      0 OverwriteAsNeeded          88 MonadLog
  15,360      0 OverwriteAsNeeded         324 PowerShell
  30,016      0 OverwriteAsNeeded      51,510 Security
  15,168      0 OverwriteAsNeeded       6,457 System

If you only want information about a specific event log then use the Where-Object cmdlet to limit data retrieval to the log whose LogDisplayName is equal to, say, System:

Get-EventLog -list | Where-Object {$_.logdisplayname -eq "System"}

As you can see, all you’ll get back is information about the System event log:

Max(K) Retain OverflowAction        Entries Name
  ------ ------ --------------        ------- ----
  15,168      0 OverwriteAsNeeded       6,458 System

But that’s just the beginning; as we noted, you can also use Get-EventLog to look at the events in your event log. For example, this command retrieves all the events in the System event log:

Get-EventLog system

That’s going to result in (depending on the number of records in your event log) a long scrolling list similar to this:

More information than you really wanted, or needed? Then use the -newest parameter, and get back only the last x number of events recorded in the log. For example, this command retrieves the last three events written to the System event log:

Get-EventLog system -newest 3

Here’s the kind of data you’ll get back:

Index Time          Type Source                EventID Message
----- ----          ---- ------                ------- -------
 5811 May 13 09:42  Erro W32Time                    29 The time provider Ntp...
 5810 May 13 09:42  Warn W32Time                    14 The time provider Ntp...
 5809 May 13 09:13  Warn DnsApi                  11194 The system failed to ...

To get more detailed information, just pipe the returned data through the Format-List cmdlet:

Get-EventLog system -newest 3 | Format-List

That will bring back information like this:

Index              : 5811
EntryType          : Error
EventID            : 29
Message            : The time provider NtpClient is configured to acquire time from one or more
                     time sources, however none of the sources are currently accessible.
                     No attempt to contact a source will be made for 59 minutes.
                     NtpClient has no source of accurate time.
Category           : (0)
CategoryNumber     : 0
ReplacementStrings : {59}
Source             : W32Time
TimeGenerated      : 5/13/2006 9:42:22 AM
TimeWritten        : 5/13/2006 9:42:22 AM

You can also pipe data through the Where-Object cmdlet to return a subset of events. For example, this command retrieves only those events in the Windows PowerShell event log that have an EventID equal to 403:

Get-EventLog "Windows PowerShell" | Where-Object {$_.EventID -eq 403}

As you might expect, all we get back are events with an EventID equal to 403:

Index Time          Type Source                EventID Message
----- ----          ---- ------                ------- -------
   58 May 12 09:09  Info Windows PowerShell                403 Engine state is chang...
   34 May 10 15:39  Info Windows PowerShell                403 Engine state is chang...
   16 May 09 15:28  Info Windows PowerShell                403 Engine state is chang...

Here’s a nifty little command, one that retrieves all the events in the Windows PowerShell event log, then uses the Group-Object cmdlet to group those events by EventID. In other words, the command tallies up the total number of events for each ID (for example, two events with the EventID 300 occurred, six events with the EventID 400 occurred, etc.). That data is then piped through the Sort-Object cmdlet to provide results sorted by EventID. Here’s the command:

Get-EventLog "Windows PowerShell" | Group-Object eventid | Sort-Object Name

And here’s the results of running that command:

Count Name                      Group
----- ----                      -----
    2 300                       {TVSFRANK, TVSFRANK}
    6 400                       {TVSFRANK, TVSFRANK, TVSFRANK, TVSFRANK...}
    3 403                       {TVSFRANK, TVSFRANK, TVSFRANK}
   42 600                       {TVSFRANK, TVSFRANK, TVSFRANK, TVSFRANK...}
   21 601                       {TVSFRANK, TVSFRANK, TVSFRANK, TVSFRANK...}