Export (0) Print
Expand All

Get-EventLog

Published: February 29, 2012

Updated: August 23, 2012

Applies To: Windows PowerShell 2.0, Windows PowerShell 3.0

Get-EventLog

Gets the events in an event log, or a list of the event logs, on the local or remote computers.

Syntax

Parameter Set: LogName
Get-EventLog [-LogName] <String> [[-InstanceId] <Int64[]> ] [-After <DateTime> ] [-AsBaseObject] [-Before <DateTime> ] [-ComputerName <String[]> ] [-EntryType <String[]> ] [-Index <Int32[]> ] [-Message <String> ] [-Newest <Int32> ] [-Source <String[]> ] [-UserName <String[]> ] [ <CommonParameters>]

Parameter Set: List
Get-EventLog [-AsString] [-ComputerName <String[]> ] [-List] [ <CommonParameters>]




Detailed Description

The Get-EventLog cmdlet gets events and event logs on the local and remote computers.

Use the parameters of Get-EventLog to search for events by using their property values. Get-EventLog gets only the events that match all of the specified property values.

The cmdlets that contain the EventLog noun (the EventLog cmdlets) work only on classic event logs. To get events from logs that use the Windows Event Log technology in Windows Vista and later versions of Windows, use Get-WinEvent.

Parameters

-After<DateTime>

Gets only the events that occur after the specified date and time. Enter a DateTime object, such as the one returned by the Get-Date cmdlet.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-AsBaseObject

Returns a standard System.Diagnostics.EventLogEntry object for each event. Without this parameter, Get-EventLog returns an extended PSObject object with additional EventLogName, Source, and InstanceId properties.

To see the effect of this parameter, pipe the events to the Get-Member cmdlet and examine the TypeName value in the result.


Aliases

none

Required?

false

Position?

named

Default Value

False

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-AsString

Returns the output as strings, instead of objects.


Aliases

none

Required?

false

Position?

named

Default Value

False

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-Before<DateTime>

Gets only the events that occur before the specified date and time. Enter a DateTime object, such as the one returned by the Get-Date cmdlet.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ComputerName<String[]>

Specifies a remote computer. The default is the local computer.

Type the NetBIOS name, an Internet Protocol (IP) address, or a fully qualified domain name of a remote computer. To specify the local computer, type the computer name, a dot (.), or "localhost".

This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter of Get-EventLog even if your computer is not configured to run remote commands.


Aliases

none

Required?

false

Position?

named

Default Value

Local computer

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-EntryType<String[]>

Gets only events with the specified entry type. Valid values are Error, Information, FailureAudit, SuccessAudit, and Warning. The default is all events.


Aliases

none

Required?

false

Position?

named

Default Value

All events

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-Index<Int32[]>

Gets only events with the specified index values.


Aliases

none

Required?

false

Position?

named

Default Value

All events

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-InstanceId<Int64[]>

Gets only events with the specified instance IDs.


Aliases

none

Required?

false

Position?

2

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-List

Gets a list of event logs on the computer.


Aliases

none

Required?

false

Position?

named

Default Value

False

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-LogName<String>

Specifies the event log. Enter the log name (the value of the Log property; not the LogDisplayName) of one event log. Wildcard characters are not permitted. This parameter is required.


Aliases

none

Required?

true

Position?

1

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-Message<String>

Gets events that have the specified string in their messages. You can use this property to search for messages that contain certain words or phrases. Wildcards are permitted.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

true

-Newest<Int32>

Specifies the maximum number of events retrieved. Get-EventLog gets the specified number of events, beginning with the newest event in the log.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-Source<String[]>

Gets events that were written to the log by the specified sources. Wildcards are permitted.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

true

-UserName<String[]>

Gets only the events that are associated with the specified user names. Enter names or name patterns, such as User01, User*, or Domain01\User*. Wildcards are permitted.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

true

<CommonParameters>

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see  about_CommonParameters (http://go.microsoft.com/fwlink/p/?LinkID=113216).

Inputs

The input type is the type of the objects that you can pipe to the cmdlet.

  • None.

    You cannot pipe input to this cmdlet.


Outputs

The output type is the type of the objects that the cmdlet emits.

  • System.Diagnostics.EventLogEntry. System.Diagnostics.EventLog. System.String

    If the LogName parameter is specified, the output is a collection of EventLogEntry objects (System.Diagnostics.EventLogEntry).

    If only the List parameter is specified, the output is a collection of EventLog objects (System.Diagnostics.EventLog).

    If both the List and AsString parameters are specified, the output is a collection of Strings (System.String).


Notes

  • The Get-EventLog and Get-WinEvent cmdlets are not supported in Windows Preinstallation Environment (Windows PE).

Examples

-------------------------- EXAMPLE 1 --------------------------

This command gets the event logs on the computer.


PS C:\> get-eventlog -list

-------------------------- EXAMPLE 2 --------------------------

This command gets the five most recent entries from the Application event log.


PS C:\> get-eventlog -newest 5 -logname application

-------------------------- EXAMPLE 3 --------------------------

This example shows how to find all of the sources that are represented in the 1000 most recent entries in the System event log.

The first command gets the 1,000 most recent entries from the System event log and stores them in the $events variable.

The second command uses a pipeline operator (|) to send the events in $events to the Group-Object cmdlet, which groups the entries by the value of the Source property. The command uses a second pipeline operator to send the grouped events to the Sort-Object cmdlet, which sorts them in descending order, so the most frequently appearing source is listed first.

Source is just one property of event log entries. To see all of the properties of an event log entry, pipe the event log entries to the Get-Member cmdlet.


PS C:\> $events = get-eventlog -logname system -newest 1000
PS C:\>$events | group-object -property source -noelement | sort-object -property count –descending

Count Name
----- ----
75    Service Control Manager
12    Print
6     UmrdpService
2     DnsApi
2     DCOM
1     Dhcp
1     TermDD
1     volsnap

-------------------------- EXAMPLE 4 --------------------------

This command gets only error events from the System event log.


PS C:\> get-eventlog -logname System -EntryType Error

-------------------------- EXAMPLE 5 --------------------------

This command gets events from the System log that have an InstanceID of 3221235481 and a Source value of "DCOM."


PS C:\> get-eventlog -logname System -instanceID 3221235481 -Source "DCOM"

-------------------------- EXAMPLE 6 --------------------------

This command gets the events from the "Windows PowerShell" event log on three computers, Server01, Server02, and the local computer, known as "localhost".


PS C:\> get-eventlog -logname "Windows PowerShell" -computername localhost, Server01, Server02

-------------------------- EXAMPLE 7 --------------------------

This command gets all the events in the Windows PowerShell event log that have a message value that includes the word "failed".


PS C:\> get-eventlog -logname "Windows PowerShell" -message "*failed*"

-------------------------- EXAMPLE 8 --------------------------

This example shows how to display the property values of an event in a list.

The first command gets the newest event from the System event log and saves it in the $a variable.

The second command uses a pipeline operator (|) to send the event in $a to the Format-List command, which displays all (*) of the event properties.


PS C:\> $a = get-eventlog -log System -newest 1
PS C:\>$a | format-list -property *

EventID            : 7036
MachineName        : Server01
Data               : {}
Index              : 10238
Category           : (0)
CategoryNumber     : 0
EntryType          : Information
Message            : The description for Event ID
Source             : Service Control Manager
ReplacementStrings : {WinHTTP Web Proxy Auto-Disco
InstanceId         : 1073748860
TimeGenerated      : 4/11/2008 9:56:05 PM
TimeWritten        : 4/11/2008 9:56:05 PM
UserName           :
Site               :
Container          :

-------------------------- EXAMPLE 9 --------------------------

This command gets events in the Application event log where the source is Outlook and the event ID is 34. Even though Get-EventLog does not have an EventID parameter, you can use the Where-Object cmdlet to select events based on the value of any event property.


PS C:\> get-eventlog -log application -source outlook | where {$_.eventID -eq 34}

-------------------------- EXAMPLE 10 --------------------------

This command returns the events in the system log grouped by the value of their UserName property. The Get-EventLog command uses the UserName parameter to get only events in which the user name begins with "NT*".


PS C:\> get-eventlog -log system -username NT* | group-object -property username -noelement | format-table Count, Name -auto

Count Name
----- ----
6031  NT AUTHORITY\SYSTEM
42    NT AUTHORITY\LOCAL SERVICE
4     NT AUTHORITY\NETWORK SERVICE

-------------------------- EXAMPLE 11 --------------------------

This command gets all of the errors in the Windows PowerShell event log that occurred in June 2008.


PS C:\> $May31 = get-date 5/31/08
PS C:\>$July1 = get-date 7/01/08
PS C:\>get-eventlog -log "Windows PowerShell" -entrytype Error -after $may31 -before $july1

Related topics



Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft