Learn about my 2012 Core Survival Guide here.
This blog looks at how to manage event logs. The key to using PowerShell to manage any event log is to know the exact spelling of the event log you wish to manager.
How to view a list of event logs
To get a list of the event logs I will use the Get-Eventlog cmdlet. This is one of those cmdlet where piping it to formant-list does not really change the output. So I left it off.
PowerShell Command:
Get-Eventlog -list
The output below displays a list of event logs active on this computer.
How to view events in an event log
Because event logs hold many events, it does not make sense to simply list all the event in the log. Below are several different ways to view parts of the event log.
Viewing events for the last hour
PowerShell Command:
Get-eventlog system -after (get-date).addhours(-1)
The output below shows the last hour of events in the System Log. You can replace "System" for any of the other event logs. You can also modify the value in ".addhours" to have a larger value like "(-12)" for the last 12 hours.
Viewing events by event type
This command only shows the error events for the last hour.
PowerShell Command:
Get-eventlog system -after (get-date).addhours(-1) | Where entrytype -eq Error
In the command above you can replace "Error" with "Information" or "Warning"
Viewing events by event source
This command show you only the events for the source of "NETLOGON"
PowerShell Command:
Get-eventlog system -after (get-date).addhours(-1) | Where Source -eq NetLogon
You can replace "NETLOGON" with the name of any source: for example "volmgr".
Viewing events by event index
Once you have narrowed down the event you wish to review, take note of the index number. You can display all of the details of that event based on the index number.
PowerShell Command:
Get-Eventlog System | where index -eq 5630 | format-list *
How to export event log to an CSV file
It is often easier to review events by viewing them in a tool like notepad. You can export any event log to a text file.
PowerShell Command:
Get-eventlog system | export-csv -path system.csv
The output below shows that the event log was written to system.csv (opened in Notepad). Excel will be the better tool for reviewing the data.
How to clear event log
PowerShell Command:
Clear-Eventlog "Windows PowerShell" -clear
In the output below, notice the number of entries for the Windows PowerShell log is 392. After the Clear-Eventlog cmdlet has been run the number of entries is zero.
I hope you found this useful. Please leave me a comment. Let me know if there are any core tasks you would like me to cover.
Bruce