PowerShell Logo Small

Get-EventLog



This is the built-in help made by Microsoft for the command 'Get-EventLog', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Gets the events in an event log, or a list of the event logs, on the local or remote computers.

SYNTAX


Get-EventLog [-LogName] <String> [[-InstanceId] [<Int64[]>]] [-After [<DateTime>]] [-AsBaseObject] [-Before [<DateTime>]] [-ComputerName [<String[]>]] [-EntryType {Error |
Information | FailureAudit | SuccessAudit | Warning}] [-Index [<Int32[]>]] [-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend}]
[-InformationVariable [<System.String>]] [-Message [<String>]] [-Newest [<Int32>]] [-Source [<String[]>]] [-UserName [<String[]>]] [<CommonParameters>]
Get-EventLog [-AsString] [-ComputerName [<String[]>]] [-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend}] [-InformationVariable
[<System.String>]] [-List] [<CommonParameters>]



Search powershellhelp.space

DESCRIPTION


The Get-EventLog cmdlet gets events and event logs on the local and remote computers.


Use the parameters of Get-EventLog to search for events by using their property values. Get-EventLog gets only the events that match all of the specified property values.


The cmdlets that contain the EventLog noun (the EventLog cmdlets) work only on classic event logs. To get events from logs that use the Windows Event Log technology in
Windows Vista and later versions of Windows, use Get-WinEvent.



<

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/p/?linkid=290493
Clear-EventLog
Limit-EventLog
New-EventLog
Remove-EventLog
Show-EventLog
Write-EventLog

REMARKS

<

Examples


-------------------------- EXAMPLE 1 --------------------------

PS C:\>get-eventlog -list



This command gets the event logs on the computer.






-------------------------- EXAMPLE 2 --------------------------

PS C:\>get-eventlog -newest 5 -logname application



This command gets the five most recent entries from the Application event log.






-------------------------- EXAMPLE 3 --------------------------

PS C:\>$events = get-eventlog -logname system -newest 1000
PS C:\>$events | group-object -property source -noelement | sort-object -property count –descending

Count Name
----- ----
75 Service Control Manager
12 Print
6 UmrdpService
2 DnsApi
2 DCOM
1 Dhcp
1 TermDD
1 volsnap



This example shows how to find all of the sources that are represented in the 1000 most recent entries in the System event log.

The first command gets the 1,000 most recent entries from the System event log and stores them in the $events variable.

The second command uses a pipeline operator (|) to send the events in $events to the Group-Object cmdlet, which groups the entries by the value of the Source property. The
command uses a second pipeline operator to send the grouped events to the Sort-Object cmdlet, which sorts them in descending order, so the most frequently appearing source
is listed first.

Source is just one property of event log entries. To see all of the properties of an event log entry, pipe the event log entries to the Get-Member cmdlet.






-------------------------- EXAMPLE 4 --------------------------

PS C:\>get-eventlog -logname System -EntryType Error



This command gets only error events from the System event log.






-------------------------- EXAMPLE 5 --------------------------

PS C:\>get-eventlog -logname System -instanceID 3221235481 -Source "DCOM"



This command gets events from the System log that have an InstanceID of 3221235481 and a Source value of "DCOM."






-------------------------- EXAMPLE 6 --------------------------

PS C:\>get-eventlog -logname "Windows PowerShell" -computername localhost, Server01, Server02



This command gets the events from the "Windows PowerShell" event log on three computers, Server01, Server02, and the local computer, known as "localhost".






-------------------------- EXAMPLE 7 --------------------------

PS C:\>get-eventlog -logname "Windows PowerShell" -message "*failed*"



This command gets all the events in the Windows PowerShell event log that have a message value that includes the word "failed".






-------------------------- EXAMPLE 8 --------------------------

PS C:\>$a = get-eventlog -log System -newest 1
PS C:\>$a | format-list -property *

EventID : 7036
MachineName : Server01
Data : {}
Index : 10238
Category : (0)
CategoryNumber : 0
EntryType : Information
Message : The description for Event ID
Source : Service Control Manager
ReplacementStrings : {WinHTTP Web Proxy Auto-Disco
InstanceId : 1073748860
TimeGenerated : 4/11/2008 9:56:05 PM
TimeWritten : 4/11/2008 9:56:05 PM
UserName :
Site :
Container :



This example shows how to display the property values of an event in a list.

The first command gets the newest event from the System event log and saves it in the $a variable.

The second command uses a pipeline operator (|) to send the event in $a to the Format-List command, which displays all (*) of the event properties.






-------------------------- EXAMPLE 9 --------------------------

PS C:\>get-eventlog -log application -source outlook | where {$_.eventID -eq 34}



This command gets events in the Application event log where the source is Outlook and the event ID is 34. Even though Get-EventLog does not have an EventID parameter, you
can use the Where-Object cmdlet to select events based on the value of any event property.






-------------------------- EXAMPLE 10 --------------------------

PS C:\>get-eventlog -log system -username NT* | group-object -property username -noelement | format-table Count, Name -auto

Count Name
----- ----
6031 NT AUTHORITY\SYSTEM
42 NT AUTHORITY\LOCAL SERVICE
4 NT AUTHORITY\NETWORK SERVICE



This command returns the events in the system log grouped by the value of their UserName property. The Get-EventLog command uses the UserName parameter to get only events
in which the user name begins with "NT*".






-------------------------- EXAMPLE 11 --------------------------

PS C:\>$May31 = get-date 5/31/08
PS C:\>$July1 = get-date 7/01/08
PS C:\>get-eventlog -log "Windows PowerShell" -entrytype Error -after $may31 -before $july1



This command gets all of the errors in the Windows PowerShell event log that occurred in June 2008.