Get-WinEvent - Cmdlet Syntax and Real World Examples

April 22, 2018 0 Comments PowerShell

SYNOPSIS

Gets events from event logs and event tracing log files on local and remote computers.

DESCRIPTION

The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).

Without parameters, a Get-WinEvent command gets all the events from all the event logs on the computer. To interrupt the command, press CTRL + C.

Get-WinEvent also lists event logs and event log providers. You can get events from selected logs or from logs generated by selected event providers. And, you can combine events from multiple sources in a single command. Get-WinEvent allows you to filter events by using XPath queries, structured XML queries, and simplified hash-table queries.

SYNTAX

Get-WinEvent [[-LogName] <String[]>] [-ComputerName <String>] [-Credential <PSCredential>] 
[-FilterXPath <String>] [-Force] [-MaxEvents <Int64>] [-Oldest]  [<CommonParameters>]

Get-WinEvent [-ListProvider] <String[]> [-ComputerName <String>] [-Credential <PSCredential>] [<CommonParameters>]

Get-WinEvent [-ProviderName] <String[]> [-ComputerName <String>] [-Credential <PSCredential>] [-FilterXPath <String>] [-Force]
[-MaxEvents <Int64>] [-Oldest] [<CommonParameters>]

Get-WinEvent [-ListLog] <String[]> [-ComputerName <String>] [-Credential <PSCredential>] [-Force] [<CommonParameters>]

Get-WinEvent [-FilterHashtable] <Hashtable[]> [-ComputerName <String>] [-Credential <PSCredential>] [-Force] [-MaxEvents <Int64>] 
[-Oldest] [<CommonParameters>]

Get-WinEvent [-FilterXml] <XmlDocument> [-ComputerName <String>] [-Credential <PSCredential>] [-MaxEvents <Int64>]
[-Oldest] [<CommonParameters>]

Get-WinEvent [-Path] <String[]> [-Credential <PSCredential>] [-FilterXPath <String>] [-MaxEvents <Int64>]
[-Oldest] [<CommonParameters>]

REAL-WORLD EXAMPLES

Get-WinEvent –FilterHashtable @{logname=’system’; level=2,3} –MaxEvents 50
  • creates a table of events with event source highlighted
  • limits output to last 50 items from the system log
  • selects only warning and critical items

Event Log levels

Name Value
verbose 5
Informational 4
Warning 3
Critical 2
Log Always 1

Event Log DisplayNames

  • Information
  • Warning
  • Critical
  • Error
  • Verbose

Get-WinEvent -ComputerName Server01 –FilterHashtable @{logname=’system’,'application'; level=2,3} –MaxEvents 50 | more
  • Grabs error and warning event logs from Server01
  • limits to last 50 events
  • saves results to a hashtable

get-winevent -ComputerName Server01 -log Microsoft-Windows-GroupPolicy/Operational -MaxEvents 50 | out-gridview
  • grabs events from Group Policy Operational Log on Server01
  • limits to 50 newest events

$date1 = [datetime]"4/27/2018"
$date2 = [datetime]"4/28/2018"

Get-WinEvent –FilterHashtable @{logname=’application’; level=1,2,3} -ComputerName server01 | 
Where-Object {$_.TimeCreated -gt $date1 -and $_.timecreated -lt $date2} | out-gridview
  • grabs events application log events from computer named server01 that occurred between 4/27 & 4/28/2018
  • displays the list in gridview format