PowerShell basics: Query Windows Server Event Logs

Published 06-09-2021 03:00 AM 1,638 Views
Microsoft

One of the most standard server administration tasks is trawling through event logs looking for information about an issue you want to troubleshoot. If you’re interacting with Windows Server through PowerShell, you can interact with those event logs using the Get-EventLog, Clear-EventLog, Limit-EventLog, New-EventLog, Remove-EventLog, Show-EventLog and Write-EvengLog cmdlets.

 

You’re most likely to use Get-Eventlog most often. To view which event logs are available, run the command

 

 

Get-EventLog -List

 

 

 

Get-EventLog -LogName Security -Newest 10

 

 

OrinThomas_1-1623219904826.png

 

To pull up event log entries that have a specific type, use the InstanceID parameter. For example, to see the last 10 successful log on events in the Security event log (ID 4624) run the command:

 

 

Get-EventLog -LogName Security -InstanceID 4624 -Newest 10

 

 

OrinThomas_2-1623219993874.png

 

To search an event log for specific words in the event log message, use the Message parameter. For example, to search the Security event log for the word Logoff, use the following command:

 

 

Get-EventLog -LogName Security -Message *Logoff*

 

 

 

OrinThomas_3-1623220045817.png

 

Get-EventLog is a very useful cmdlet and you'll definitely use it when working with Server Core machines, or if you just want to check if specific events have occurred on computers you manage. 

 

Learn more

 

1 Comment
Senior Member

Get-EventLog uses a Win32 API that is deprecated. The results may not be accurate. Use the Get-WinEvent cmdlet instead.

 

See this note in Microsoft's documentation.

%3CLINGO-SUB%20id%3D%22lingo-sub-2430533%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20basics%3A%20Query%20Windows%20Server%20Event%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2430533%22%20slang%3D%22en-US%22%3E%3CP%3EGet-EventLog%3CSPAN%3E%26nbsp%3Buses%20a%20Win32%20API%20that%20is%20deprecated.%20The%20results%20may%20not%20be%20accurate.%20Use%20the%26nbsp%3B%3C%2FSPAN%3EGet-WinEvent%3CSPAN%3E%26nbsp%3Bcmdlet%20instead.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESee%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fmicrosoft.powershell.management%2Fget-eventlog%3Fview%3Dpowershell-5.1%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%20note%3C%2FA%3E%20in%20Microsoft's%20documentation.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2429553%22%20slang%3D%22en-US%22%3EPowerShell%20basics%3A%20Query%20Windows%20Server%20Event%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2429553%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EOne%20of%20the%20most%20standard%20server%20administration%20tasks%20is%20trawling%20through%20event%20logs%20looking%20for%20information%20about%20an%20issue%20you%20want%20to%20troubleshoot.%20If%20you%E2%80%99re%20interacting%20with%20Windows%20Server%20through%20PowerShell%2C%20you%20can%20interact%20with%20those%20event%20logs%20using%20the%20Get-EventLog%2C%20Clear-EventLog%2C%20Limit-EventLog%2C%20New-EventLog%2C%20Remove-EventLog%2C%20Show-EventLog%20and%20Write-EvengLog%20cmdlets.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%E2%80%99re%20most%20likely%20to%20use%20Get-Eventlog%20most%20often.%20To%20view%20which%20event%20logs%20are%20available%2C%20run%20the%20command%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-EventLog%20-List%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-EventLog%20-LogName%20Security%20-Newest%2010%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22OrinThomas_1-1623219904826.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F287378iF3D6E198409829C1%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22OrinThomas_1-1623219904826.png%22%20alt%3D%22OrinThomas_1-1623219904826.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETo%20pull%20up%20event%20log%20entries%20that%20have%20a%20specific%20type%2C%20use%20the%20InstanceID%20parameter.%20For%20example%2C%20to%20see%20the%20last%2010%20successful%20log%20on%20events%20in%20the%20Security%20event%20log%20(ID%204624)%20run%20the%20command%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-EventLog%20-LogName%20Security%20-InstanceID%204624%20-Newest%2010%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22OrinThomas_2-1623219993874.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F287379i493FFC18FADDC45B%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22OrinThomas_2-1623219993874.png%22%20alt%3D%22OrinThomas_2-1623219993874.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETo%20search%20an%20event%20log%20for%20specific%20words%20in%20the%20event%20log%20message%2C%20use%20the%20Message%20parameter.%20For%20example%2C%20to%20search%20the%20Security%20event%20log%20for%20the%20word%20Logoff%2C%20use%20the%20following%20command%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-EventLog%20-LogName%20Security%20-Message%20*Logoff*%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22OrinThomas_3-1623220045817.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F287380i07D2729D6440C466%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22OrinThomas_3-1623220045817.png%22%20alt%3D%22OrinThomas_3-1623220045817.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EGet-EventLog%20is%20a%20very%20useful%20cmdlet%20and%20you'll%20definitely%20use%20it%20when%20working%20with%20Server%20Core%20machines%2C%20or%20if%20you%20just%20want%20to%20check%20if%20specific%20events%20have%20occurred%20on%20computers%20you%20manage.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-2057712405%22%20id%3D%22toc-hId-2057060811%22%3E%3CSPAN%3ELearn%20more%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fmicrosoft.powershell.management%2Fget-eventlog%3FWT.mc_id%3Dmodinfra-30444-orthomas%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGet-EventLog%20at%20docs.microsoft.com%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Flearn%2Fmodules%2Fintroduction-to-powershell%2F%3FWT.mc_id%3Dmodinfra-30444-orthomas%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EIntroduction%20to%20PowerShell%20on%20Microsoft%20Learn%26nbsp%3B%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CP%3EOPS117%3A%20PowerShell%20Deep%20Dive%3C%2FP%3E%0A%3CP%3E%3CIFRAME%20src%3D%22https%3A%2F%2Fchannel9.msdn.com%2FShows%2FIT-Ops-Talk%2FOPS117-PowerShell-Deep-Dive%2Fplayer%3FWT.mc_id%3Dmodinfra-30444-orthomas%22%20width%3D%22640%22%20height%3D%22360%22%20frameborder%3D%220%22%20allowfullscreen%3D%22allowfullscreen%22%20title%3D%22OPS117%3A%20PowerShell%20Deep%20Dive%22%3E%3C%2FIFRAME%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2429553%22%20slang%3D%22en-US%22%3E%3CP%3ELearn%20how%20to%20query%20Windows%20Server%20event%20logs%20with%20the%20PowerShell%20Get-EventLog%20cmdlet.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Powershell-get-eventlog-list.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F287381iFC21E340D185B36E%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Powershell-get-eventlog-list.png%22%20alt%3D%22Powershell-get-eventlog-list.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2429553%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOrin%20Thomas%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Jun 09 2021 05:47 AM
Updated by: