alex_aldo - Fotolia
Perform a Windows event log search with PowerShell
Event log monitoring is vital to an IT environment's health and success, but finding a specific event in the flood is challenging. PowerShell enables admins to simplify this task.
Admins who've had to troubleshoot something on Windows Server are familiar with the Event Viewer monitoring tool, which enables IT teams to search for and filter certain events in the Windows event log.
Event Viewer is a powerful tool, but its GUI can lead to slow and manual search processes. Alternatively, admins can use PowerShell to streamline and narrow down a Windows event log search.
First, enter the Get-WinEvent cmdlet in PowerShell. This is the easiest method to query for events in the Windows event log. If you run the command by itself, however, you might end up with a screen full of red error text:
To avoid this error, use more specific parameters. Return entries from a specific log using the -LogName parameter:
Get-WinEvent -LogName System
You'll notice the ProviderName header in the output below.
To query for a specific provider -- which, in this example, is the entity that produces the log -- use the –ProviderName parameter. Here, we look for the Microsoft-Windows-Kernel-General provider:
Get-WinEvent -ProviderName 'Microsoft-Windows-Kernel-General'
The output from this Windows event log search should show information, such as time created, as seen below:
You can't use the –LogName and –ProviderName parameters at the same time, unless you use one of the filter parameters, such as -FilterHashtable.
With -FilterHashtable, you can specify the following values:
- LogName
- ProviderName
- Path
- Keywords
- ID
- Level
- StartTime
- EndTime
- UserID
- Data
- *
To see the list, run the following:
help Get-WinEvent -Parameter FilterHashtable
To find, for example, a computer's startup events, enter the following:
Get-WinEvent -FilterHashtable @{
ProviderName = 'Microsoft-Windows-Kernel-General'
LogName = 'System'
Id = 12
}
For this Windows event log search, PowerShell should return what is seen below.
Editor's note: This expert answer is second in a three-part series on PowerShell automation. See this expert answer on ACL folder management, and stay tuned for the final installment on PATH environment management.
