Get Eventlog - PowerShell

Overview

Get-Eventlog retrieves Windows Event log entries. It allows you to filter and manipulate event log data for analysis and troubleshooting.

Syntax

Get-Eventlog [-LogName] <string[]> [-ComputerName] <string>
[-After] <DateTime> [-Before] <DateTime> [-EntryType] <string[]> [-FilterXML] <string>
[-FilterXPath] <string> [-InstanceID] <uint32[]> [-Newest] <int32> [-Oldest] <int32>
[-Property] <string[]> [-TaskName] <string> [-UseUniversalTime] [-Verbose]
[-ErrorAction] <ActionPreference> [-ErrorVariable] <string>
[-OutVariable] <string> [-OutBuffer] <int32>

Options/Flags

  • -LogName: Specify one or more event log names to retrieve entries from.
  • -ComputerName: Retrieve events from a remote computer.
  • -After: Show events logged after the specified date and time.
  • -Before: Show events logged before the specified date and time.
  • -EntryType: Filter events by type (Error, Warning, Information, Success, Failure).
  • -FilterXML: Apply an XML filter to the event log.
  • -FilterXPath: Use an XPath expression to filter the event log.
  • -InstanceID: Filter by instance ID.
  • -Newest: Retrieve the specified number of newest events.
  • -Oldest: Retrieve the specified number of oldest events.
  • -Property: Specify event properties to retrieve.
  • -TaskName: Filter events by task name.
  • -UseUniversalTime: Display timestamps in Coordinated Universal Time (UTC) format.
  • -Verbose: Output more detailed information about each event.

Examples

Retrieve all events from the System event log:

Get-Eventlog -LogName System

Filter events by time range:

Get-Eventlog -LogName System -After "2023-03-08" -Before "2023-03-10"

Filter events by type:

Get-Eventlog -LogName System -EntryType Warning

Export events to a CSV file:

Get-Eventlog -LogName System | Export-Csv -Path .\system_events.csv -NoTypeInformation

Common Issues

  • Ensure the specified event log exists on the target computer.
  • Verify that you have sufficient permissions to access the event log.
  • Use the -Verbose flag to troubleshoot filtering issues.

Integration

Combine Get-Eventlog with other commands for advanced tasks:

  • Send-MailMessage: Send email notifications based on event log entries.
  • New-EventLogSubscription: Subscribe to event log changes and receive notifications.
  • Invoke-Command: Run Get-Eventlog remotely on multiple computers.