PowerShell Get-WinEvent Cmdlet
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed Get-EventLog cmdlet in PowerShell.
https://cloudaffaire.com/powershell-get-eventlog-cmdlet/
In this blog post, we will discuss Get-WinEvent cmdlet in PowerShell. You can use Get-WinEvent cmdlet to get the windows event logs. Event Log is the central logging location where all the OS and application logs are stored. For those who are familiar with Linux, event log is similar to Syslog on Linux. You can get event logs of a local or remote computer using Get-WinEvent cmdlet. Get-WinEvent is similar to Get-EventLog cmdlet with added features and will replace Get-EventLog in the future.
Get-WinEvent Cmdlet Syntax:
|
1 2 3 4 5 6 7 8 9 10 |
## Get-WinEvent ## [[-LogName] ## [-ListLog] ## [-MaxEvents ## [-ComputerName ## [-Credential ## [-FilterXPath ## [-Force] ## [-Oldest] ## [ |
Get-WinEvent Cmdlet Argument List:
- –ComputerName: Specifies the name of the computer that this cmdlet gets events from the event logs. Type the NetBIOS name, an IP address, or the fully qualified domain name (FQDN) of the computer.
- –Credential: Specifies a user account that has permission to perform this action. The default value is the current user.
- –FilterHashtable: Specifies a query in hash table format to select events from one or more event logs. The query contains a hash table with one or more key/value pairs. The valid Get-WinEvent key/value pairs are as follows:
- LogName=<String[]>
- ProviderName=<String[]>
- Path=<String[]>
- Keywords=<Long[]>
- ID=<Int32[]>
- Level=<Int32[]>
- StartTime=<DateTime>
- EndTime=<DateTime>
- UserID=<SID>
- Data=<String[]>
- –FilterXml: Specifies a structured XML query that this cmdlet selects events from one or more event logs.
- –FilterXPath: Specifies an XPath query that this cmdlet selects events from one or more logs.
- –Force: Gets debug and analytic logs, in addition to other event logs.
- –ListLog: Specifies the event logs. Enter the event log names in a comma-separated list. Wildcards are permitted.
- –ListProvider: Specifies the event log providers that this cmdlet gets. An event log provider is a program or service that writes events to the event log.
- –LogName: Specifies the event logs that this cmdlet get events from. Enter the event log names in a comma-separated list. Wildcards are permitted.
- –MaxEvents: Specifies the maximum number of events that are returned. Enter an integer such as 100.
- –Oldest: Indicate that this cmdlet gets the events in oldest-first order. By default, events are returned in newest-first order.
- –Path: Specifies the path to the event log files that this cmdlet gets events from. Enter the paths to the log files in a comma-separated list, or use wildcard characters to create file path patterns.
- –ProviderName: Specifies, as a string array, the event log providers from which this cmdlet gets events. Enter the provider names in a comma-separated list, or use wildcard characters to create provider name patterns.
PowerShell Get-WinEvent Cmdlet:
Get Members Of Get-WinEvent Cmdlet:
|
1 2 3 4 5 6 7 8 |
######################################## ## PowerShell | Cmdlet | Get-WinEvent ## ######################################## ## PowerShell Latest Version (5) ## get members for Get-WinEvent cmdlet Get-WinEvent -LogName "Setup" -MaxEvents 1 | Get-Member |
List All The Event Logs Available In Your System:
|
1 2 3 |
## list all event logs available in your system Get-WinEvent -ListLog * |
List All The Event Logs Available In Your System By Providers:
|
1 2 3 |
## list all event logs available in your system by the provider Get-WinEvent -ListProvider * |
Get All The Event Logs For A Specific Type Of Logs:
|
1 2 3 |
## get all event logs for a specific type of logs Get-WinEvent -LogName "Setup" |
Get All The Event Logs For A Specific Type Of Provider:
|
1 2 3 |
## get all event logs for a specific provider Get-WinEvent -ProviderName "Microsoft-Windows-Services" |
Get Last 24 Hours Of Event Logs In Your System:
|
1 2 3 4 5 6 7 8 |
## get last 24 hours event logs for your system $date = (get-date).AddDays(-1) Get-WinEvent -MaxEvents 10 -FilterHashtable @{ LogName = "System" StartTime = $date } |
Get Event Logs For A Specific Period Of Time Using Get-WinEvent Cmdlet:
|
1 2 3 4 5 6 7 8 9 10 |
## get event logs for a specific times $start_time = "10 October 2020 00:00" $end_time = "10 October 2020 09:00" Get-WinEvent -MaxEvents 10 -FilterHashtable @{ LogName = "System" StartTime = $start_time EndTime = $start_time } |
Get Event Logs Between A Specific Date Using Get-WinEvent Cmdlet:
|
1 2 3 4 5 6 7 8 9 10 |
## get event logs between specific dates $start_date = "04 October 2020 00:00" $end_date = "06 October 2020 00:00" Get-WinEvent -MaxEvents 10 -FilterHashtable @{ LogName = "System" StartTime = $start_date EndTime = $end_date } |
Get All Error Related Event Logs In Your System:
|
1 2 3 4 5 6 |
## get all the error message in your event log Get-WinEvent -MaxEvents 10 -FilterHashtable @{ LogName = "System" Keywords = "Error" } |
Get All Event Logs For A Specific Application:
|
1 2 3 4 5 6 |
## get all event logs for a specific application Get-WinEvent -MaxEvents 10 -FilterHashtable @{ LogName = "Application" ProviderName = "VSS" } |
Get All Event Logs For A Specific Event ID:
|
1 2 3 4 5 6 |
## get all event logs with a specific event-id Get-WinEvent -MaxEvents 10 -FilterHashtable @{ LogName = "Application" ID = 13 } |
Get Event Logs From A Remote Computer:
|
1 2 3 4 5 |
## get event logs from a remote computer Get-WinEvent ComputerName "System1" -MaxEvents 10 -FilterHashtable @{ LogName = "Application" } |
Hope you have enjoyed this article. In the next blog post, we will discuss New-EventLog CmdLet in PowerShell.
To Set more details on PowerShell, kindly follow below official documentation