Get-WinEvent

Get events from event logs and event tracing log files on local and remote computers.

Syntax
      Get-WinEvent [-LogName] string[] [-ComputerName string]
         [-Credential PSCredential] [-FilterXPath string]
            [-Force] [-MaxEvents int64] [-Oldest] [CommonParameters]

      Get-WinEvent [-Path] string[] [-ComputerName string]
         [-Credential PSCredential] [-FilterXPath string]
            [-Force] [-MaxEvents int64] [-Oldest] [CommonParameters]

      Get-WinEvent [-ProviderName] string[] [-ComputerName string]
         [-Credential PSCredential] [-FilterXPath string ]
            [-Force] [-MaxEvents int64] [-Oldest] [CommonParameters]

      Get-WinEvent -FilterHashTable Hashtable[] [-ComputerName string]
         [-Credential PSCredential]
            [-Force] [-MaxEvents int64] [-Oldest] [CommonParameters]

      Get-WinEvent [-ListLog] string[] [-ComputerName string]
         [-Credential PSCredential] [CommonParameters]

      Get-WinEvent [-ListProvider] string[] [-ComputerName string]
         [-Credential PSCredential] [CommonParameters]

      Get-WinEvent -FilterXml XmlDocument [-ComputerName string]
         [-Credential PSCredential] [-Force] [-MaxEvents int64] [-Oldest] [CommonParameters]

Key:
   -ComputerName string
       Get events from the event logs on the specified computer.
       Type the NetBIOS name, IP address, or the fully qualified domain name.
       The default is the local computer.

       This parameter accepts only one computer name at a time.
       To find event logs or events on multiple computers, use a ForEach statement. 

       To get events and event logs from remote computers, the firewall port
       for the event log service must be configured to allow remote access.

       This parameter does not rely on PowerShell remoting.

   -Credential PSCredential
       A user account that has permission to perform this action.
       The default value is the current user.

       Type a user name, such as User64 or Domain64\User23.
       Or, enter a PSCredential object, such as one generated by Get-Credential.
       If no password is entered, you will be prompted for one.
       If only -Credential is typed, you will be prompted for a user name & password.

    -FilterHashTable Hashtable[]
       Use a query in hash table format to select events from one or more event logs.
       The query contains a hash table with one or more key-value pairs.

       Hash table queries have the following rules:
        - Keys and values are case-insensitive.
        - Wildcard characters are valid only in the values associated with the LogName and ProviderName keys.
        - Each key can be listed only once in each hash-table.
        - The Path value takes paths to .etl, .evt, and .evtx log files.
        - The LogName, Path, and ProviderName keys can be used in the same query. 
        - The UserID key can take a valid security identifier (SID) or a domain account
          name that can be used to construct a valid System.Security.Principal.NTAccount object.
        - The Data value takes event data in an unnamed field. This is for events in classic event logs.
        - The * key represents a named event data field.
        When Get-WinEvent cannot interpret a key-value pair, it interprets the key as a
        case-sensitive name for the event data in the event.

        The valid key-value pairs are as follows:
        -- LogName=String[]
        -- ProviderName=String[]
        -- Path=String[]
        -- Keywords=Long[]
        -- ID=Int32[]  (event ID)
        -- Level=Int32[]  (1=FATAL, 2=ERROR, 3=Warning, 4=Information, 5=DEBUG, 6=TRACE, 0=Info)
                          e.g. Level=2,3
        -- StartTime=DateTime
        -- EndTime=DateTime
        -- UserID=SID
        -- Data=String[]
        -- *=String[]

   -FilterXml XmlDocument
       Use a structured XML query to select events from one or more event logs.

       To generate a valid XML query, use the Create Custom View and
       Filter Current Log features in Event Viewer.
       Use the items in the dialog box to create a query, and click the XML tab to view the XML query. 

       Typically, you use an XML query to create a complex query that contains several XPath statements. 
       The XML format also allows you to use a "Suppress" XML element that excludes events from the query.

   -FilterXPath string
       Use an XPath query to select events from one or more logs.

   -Force
       Get debug and analytic logs, in addition to other event logs.
       The Force parameter is required to get a debug or analytic log when the value of -name
       includes wildcard characters.

       By default, Get-WinEvent excludes these logs unless you specify the full name of a debug or analytic log.

   -ListLog string[]
       Gets the specified event logs. Enter the event log names in a comma-separated list.
       Wildcards are permitted. To get all the logs, enter a value of *.

   -ListProvider string[]
       Get the specified event log providers.
       An event log provider is a program or service that writes events to the event log.

       Enter the provider names in a comma-separated list. Wildcards are permitted.
       To get the providers of all the event logs on the computer, enter a value of *.

   -LogName string[]
       Gets events from the specified event logs. Enter the event log names in a comma-separated list.
       Wildcards are permitted. You can also pipe log names to Get-WinEvent.

   -MaxEvents int64
       The maximum number of events that Get-WinEvent returns.
       Enter an integer. The default is to return all the events in the logs or files.

   -Oldest
       Return the events in oldest-first order.
       By default, events are returned in newest-first order. 

       This parameter is required to get events from .etl and .evt files and from debug and analytic logs.
       In these files, events are recorded in oldest-first order, and the events can be returned only
       in oldest-first order.

   -Path string[]
       Get events from the specified event log files.
       Enter the paths to the log files in a comma-separated list, or use wildcards. 

       Get-WinEvent supports files with the .evt, .evtx, and .etl file name extensions.

   -ProviderName string[]
       Get events written by the specified event log providers.
       Enter the provider names in a comma-separated list, or use wildcard characters.

       An event log provider is a program or service that writes events to the event log.
       It is not a PowerShell provider.

Get-WinEvent gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the new Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).

Without parameters, a Get-WinEvent command gets all the events from all the event logs on the computer.

To interrupt the command, press CTRL + C.

Event Properties

The object returned by Get-WinEvent has the following properties that can be used when piping to Select. The meaning of these will vary across the different event logs so some experimentation may be required:

$_.Properties[0].Value => Application / Job
$_.Properties[1].Value => Document
$_.Properties[2].Value => User
$_.Properties[3].Value => Client
$_.Properties[4].Value => Printer
$_.Properties[5].Value => Domain / Port
$_.Properties[6].Value => User / Size
$_.Properties[7].Value => Pages
$_.Properties[8].Value => LogonType
$_.Properties[9].Value => Process
$_.Properties[10].Value => Method

Get-WinEvent also lists event logs and event log providers. You can get events from selected logs or from logs generated by selected event providers. And, you can combine events from multiple sources in a single command. Get-WinEvent allows you to filter events by using XPath queries, structured XML queries, and simplified hash-table queries.

Get-WinEvent requires the Microsoft .NET Framework 3.5 or a later version.

Examples

Get all the logs on the local computer:

PS C:\> get-winevent -listlog *

Get an object that represents the classic System log on the local computer. Returns the size, event log provider, file path, and whether enabled:

PS C:\> get-winevent -listlog Setup | format-list -property *

Get only event logs on the Server64 computer that contain events:

PS C:\> get-winevent -listlog * -computername Server64| where {$_.recordcount}

List the names of all event logs which contain data:

PS C:\> Get-WinEvent -ListLog * -ErrorAction Ignore | Where-Object RecordCount -gt 0 |
Sort-Object -Property RecordCount -Descending

Get objects that represent PowerShell event logs on several servers (Foreach is required here because -ComputerName takes only one value):

PS C:\> $s = "Server64", "Server65", "Server66"
PS C:\> foreach ($server in $s)
{$server; get-winevent -listlog "Windows PowerShell" -computername $server}

Get errors, warnings and information from the 'System' event log from the last 24 hours:

PS C:\> Get-WinEvent -FilterHashtable @{ LogName = 'System' Level = 2,3,4 StartTime = (Get-Date).AddDays(-1) }

Get the event log providers on the local computer and the logs to which they write, if any:

PS C:\> get-winevent -listprovider *

Get all the providers that write to the Application log on the local computer:

PS C:\> (get-winevent -listlog Application).providernames

Get event log providers whose names include the word "policy":

PS C:\> get-winevent -listprovider *policy*

List the event IDs that the Microsoft-Windows-GroupPolicy event provider generates along with the event description.:

PS C:\> (get-winevent -listprovider microsoft-windows-grouppolicy).events | format-table id, description -auto

Use the properties of the event objects that Get-WinEvent returns to learn about the events in an event log.:

PS C:\> $events = get-winevent -logname "Windows PowerShell"
PS C:\> $events.count
PS C:\> $events | group-object id -noelement | sort-object count -desc
PS C:\> $events | group-object leveldisplayname -noelement

Get the error events whose names include "disk" from all of the event logs on the computer and from the Microsoft-Windows-Kernel-WHEA event log:

PS C:\> get-winevent -logname *disk*, Microsoft-Windows-Kernel-WHEA

Get the events from an event trace log file (.etl) and from a copy of the PowerShell log file (.evtx) that was saved to a test directory.
This combines multiple file types in a single command. Because the files contain the same type of .NET Framework object (an EventLogRecord object), the same properties can be used to filter them:

PS C:\> get-winevent -path "c:\tracing\tracelog.etl", "c:\Logs\Windows PowerShell.evtx" -oldest | where {$_.id -eq "103"}

Get events that occurred in the last 24 hours from the PowerShell event log (a filter is more efficient than using Where-Object):

PS C:\> $yesterday = (get-date) - (new-timespan -day 1)
PS C:\> get-winevent -FilterHashTable @{LogName='Windows PowerShell'; Level=3; StartTime=$yesterday}

Get account lockout events (ID=4740) for a 2 second window from the Security event log:

PS C:\> $auditStart = get-date "20/12/2011 09:14:30"
PS C:\> $auditEnd = $auditStart.AddSeconds(2)
PS C:\> Get-WinEvent -ComputerName "ServerDC64" -FilterHashtable @{logname="Security"; id=4740; StartTime=$auditStart; EndTime=$auditEnd} | fl TimeCreated, Message

Use a filter hash table to find Errors (level 2) that occurred in the application log within the last 7 days:

PS C:\> $startDTM = (get-date).adddays(-7)
PS C:\> Get-WinEvent -FilterHashtable @{logname="application"; level=2; starttime=$startDTM} | Select ProviderName, levelDisplayName, TimeCreated, messag

Use a filter hash table to return Windows Update events and then Select a calculated property which calculates the array element Properties[0], which happens to be the name of the software installed by Windows Update:

$software = @{
  Name = 'Software'
  Expression = { $_.Properties[0].Value }
}

Get-WinEvent -FilterHashTable @{
    Logname='System'
    ID=19
    ProviderName='Microsoft-Windows-WindowsUpdateClient'
} | Select-Object -Property TimeCreated, $software

“What old people say you cannot do, you try and find that you can. Old deeds for old people, and new deeds for new” ~ Henry David Thoreau

Related PowerShell Cmdlets

Get-Eventlog - Get event log data (2003).
List of Windows Event IDs.
Account Lockout Status - LockoutStatus.exe
WEVTUTIL - Clear event logs, enable/disable logs.
Scan Multiple Event Logs - Hey, Scripting Guy! Blog.


 
Copyright © 1999-2024 SS64.com
Some rights reserved