fbpx

Use Get-Winevent Powershell Cmdlet | Get Windows Event Logs With Best 3 Examples

One of a system administrator’s most frequent jobs is to search the event log. The Get-WinEvent PowerShell cmdlet makes it simple to display the Windows events that catch your eye.

The Get-WinEvent cmdlet retrieves events from event logs, including both traditional logs produced by Windows Vista’s Windows Event Log technology and modern logs like the System and Application logs. Additionally, it receives events from Event Tracing for Windows (ETW) log files.

Use Get-Winevent Powershell Cmdlet | Get Windows Event Logs With 3 Examples

Events from many sources can be combined into one command. You can use XPath queries, structured XML queries, and streamlined hash-table queries with Get-WinEvent to filter events.

How To Use Get-Winevent Powershell Cmdlet? Windows Event Logs Provider

Windows includes a variety of event logs, but how can you rapidly access them? The classic Windows events logs, such as the System and Application logs, logs produced by the Windows Event Log technology, and even Event Tracing for Windows (ETW) logs, may all be retrieved using the Get-WinEvent cmdlet.

How to List Available Logs with Get-WinEvent?

Without understanding all the access logs, it can be difficult to determine what log entries you might need. Using the -ListLog argument of Get-WinEvent, you may rapidly list all of the logs that are accessible. Get-WinEvent is instructed to list all logs without filtering by the value of the * parameter. 

All logs are retrieved, as seen below, but only a small number of properties are displayed when using the Select-Object cmdlet.

Get-WinEvent -ListLog * | Select-Object LogName, RecordCount, IsClassicLog, IsEnabled, LogMode, LogType | Format-Table -AutoSize
How to List Available Logs with Get-WinEvent?

The LogMode property is an intriguing one; as you may have seen, it is typically set to Circular.

  • Circular: When the log is full, overwrite the previous entry.
  • Retain: Continue logging up until the log is full, then halt until the space is cleared.
  • AutoBackup: Event logs can be automatically archived and backed up using the AutoBackup feature.

Logs come in many distinct varieties. This feature primarily functions as a categorization parameter, but it also frequently influences how the log is used and the kinds of events displayed.

  • Administrative: Mainly designed for administrative users and end users.
  • Analytical: A high-volume log used to describe program processes is called an analytical log.
  • Debug: Intended for developers that require a thorough investigation of a program’s internals.
  • Operational: An occurrence that takes place when a system is in operation and is helpful for diagnosing problems and initiating operations.

1. Event Log Providers List

Event log providers will act as the named source where an event originates and are distinctive, tied to each log, such as Application or System logs.

When filtering logs, you might want to look for problems, and you might only be interested in problems with a specific provider. Use the -ListProvider argument to display a list of the available providers. The * contains a list of all providers that are available together with the logs to which they are connected, such as Windows PowerShell or System.

Get-WinEvent -ListProvider * | Format-Table -Autosize
Event Log Providers List

Perhaps you should limit the list of providers to those accessible to a specific log, like System. Using the LogLinks property values, you might use the Where-Object command to filter events. The related event logs are displayed as a list in the LogLinks property.

Use the -In comparison operator to restrict the requested logs to only those events that have System in the LogLinks property value. The output is simpler to read when Format-Table -AutoSize is used.

Get-WinEvent -ListProvider * | Where-Object { 'System' -In ($_ | Select-Object -ExpandProperty Loglinks | Select-Object -ExpandProperty Logname) } | Format-Table -AutoSize
Event Log Providers List

2. Modern Event Tracing for Windows with Get-WinEvent Event Viewer

The Microsoft-Windows-WindowsUpdateClient/Operational event log is more recent than a traditional event log-like System.

Get-WinEvent -LogName 'Microsoft-Windows-WindowsUpdateClient/Operational' -MaxEvents 10 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize
Modern Event Tracing for Windows with Get-WinEvent Event Viewer

Use the -Oldest flag to retrieve the first 10 events even though you could reverse the results using Sort-Object. The filtering and sorting are handled for you by the Get-WinEvent command rather than returning all results, which is often slower.

Get-WinEvent -LogName 'Microsoft-Windows-WindowsUpdateClient/Operational' -Oldest -MaxEvents 10 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize
Modern Event Tracing for Windows with Get-WinEvent Event Viewer

3. Event Tracing for Windows (ETW) Files with Get-WinEvent

Get-WinEvent is an excellent technique to easily query logs that you need to maintain for auditing purposes using common cmdlets in scripts.

You need an exported log file to show how to retrieve log entries from a *.evtx file.

  • Select a log in the Event Viewer by opening it. The Windows PowerShell log in the Application and Services Logs.
    In the Actions box, select Save All Events As… from the menu.
  • The file should be saved to a disk location from which the Get-WinEvent command may retrieve it.
  • After exporting a log file, use the -Path parameter to provide the log file’s location so that you may read the events. 
Get-WinEvent -Path 'C:\Articles\WindowsPowerShell.evtx' -MaxEvents 10 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize

Using Get-WinEvent to Filter Windows Event Logs

Three arguments called -FilterHashTable, -FilterXPath, and -FilterXML are offered by the Get-WinEvent cmdlet to assist you in sorting through thousands of events. Generally speaking, each parameter just carries out the same function in a different method.

1. Filtering Event Logs with FilterHashTable

By matching properties, like LogName, the -FilterHashTable argument filters content. You can use a hash table instead of the -LogName parameter to filter by a particular log, such as @{‘LogName’ = ‘Application’},’ which corresponds to the LogName event attribute.

The hash table given below searches only the Application log with a start time set to all events occurring after midnight on the current day, and Get-WinEvent rapidly returns results.

Get-WinEvent -FilterHashTable @{'LogName' = 'Application'; 'StartTime' = (Get-Date -Hour 0 -Minute 0 -Second 0)} | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize
Filtering Event Logs with FilterHashTable

Compare the filtering times of the same command above with one that uses Where-Object as opposed to the pipeline’s -FilterHashTable argument. The Where-Object command executes substantially more slowly than the -FilterHashTable command.

2. Event Log Results Filtering with FilterXML

This parameter accepts XML, which is subsequently applied to the events as a filter. Rule complexity can be increased by using the -FilterXML argument. It is capable of repeating the earlier filtering instances.

A pre-formatted query can be obtained by using the Event Viewer’s “Filter Current Log” feature. You will employ the entire query rather than just selecting the items in the Select node. The * in the Select node indicates that no actual filters have been chosen. 

  • First, divide the XML query and assign the markup to a variable called $Query rather than writing a single-line command.
  • The query is easier to use and more readable when it is assigned to a variable. The $Query variable should now be sent to Get-WinEvent’s -FilterXML argument.
  • Copy the information, and then use the -FilterXPath argument to paste it. You can create a query to only retrieve the essential data by utilizing the XPath syntax from the event log viewer.

Although it is outside the purview of this page, the fundamental structure is displayed below. You’ll notice one significant difference when using the FilterXPath argument to filter dates: you must use the more precise date format yyyy-MM-ddTHH:mm:ss.fffZ because the date must be returned in UTC, which is indicated by the -AsUTC switch.

$Query = "<QueryList>
  <Query Id='0' Path='Application'>
    <Select Path='Application'>*[System[TimeCreated[@SystemTime >= '$(Get-Date -Hour 0 -Minute 0 -Second 0 -Millisecond 0 -Format "yyyy-MM-ddTHH:mm:ss.fffZ" -AsUTC)']]]</Select>
  </Query>
</QueryList>"
Get-WinEvent -FilterXML $Query | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize

3. Utilizing the FilterXPath Parameter to Filter Event Logs

Because event log entries are kept as XML files, you can search through the log entries using the XPath language, an XML querying language. You can get the same outcomes by running the same command as above and translating it to XPath.

Use the Windows Event Viewer’s filtering functionality to create an XPath query.

  • Open the Event Viewer, then go to an application log or something similar under Windows Logs.
  • In the right-hand pane, select the link for Filter Current Log.
  • You can filter the log by entering the parameters you want to use.
  • Copy the portion of the Select tag by selecting the XML tab.
Get-WinEvent -LogName 'Application' -FilterXPath "*[System[(Level=1 or Level=3)]]" | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize
Utilizing the FilterXPath Parameter to Filter Event Logs

Copy the information, and then use the -FilterXPath argument to paste it. As you can see in the example below, you can create a query to only retrieve the essential data by utilizing the XPath syntax from the event log viewer.

Although it is outside the purview of this page, the fundamental structure is displayed below. You’ll notice one significant difference when using the FilterXPath argument to filter dates: you must use the more precise date format yyyy-MM-ddTHH:mm:ss.fffZ because the date must be returned in UTC, which is indicated by the -AsUTC switch.

Get-WinEvent -LogName 'Application' -FilterXPath "*[System[TimeCreated[@SystemTime >= '$(Get-Date -Hour 0 -Minute 0 -Second 0 -Millisecond 0 -Format "yyyy-MM-ddTHH:mm:ss.fffZ" -AsUTC)']]]" | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize