This lesson introduces PowerShell event log processing.

Objectives and Skills

edit

After completing this lesson, you will be able to:

  • Describe basic PowerShell event concepts.
  • Create PowerShell scripts to process events.

Readings

edit
  1. Wikipedia: Event Viewer
  2. Microsoft Support: How to View and Manage Event Logs in Event Viewer
  3. BonusBits: Mastering PowerShell Chapter 17 - Processes, Services, Event Logs

Multimedia

edit
  1. YouTube: Manage Event Logs From The Event Viewer to Find Windows 7 Related Problems
  2. YouTube: How to look for Unexpected Shutdown/User Restarts/BSOD using powershell and get-eventlog

Examples

edit

Get-EventLog

edit

The Get-EventLog cmdlet gets events and event logs on local and remote computers. Get-EventLog works only on classic event logs. To get events from logs that use the Windows Event Log technology in Windows Vista and later versions of Windows, use Get-WinEvent.[1]

Get-EventLog -LogName System -EntryType Error -After (Get-Date).AddDays(-30)

Get-WinEvent

edit

The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista.[2]

Get-WinEvent -FilterHashTable @{LogName='System'; Level=2; StartTime=(Get-Date).AddDays(-30)}

Selecting Event Properties

edit

The Select-Object cmdlet may be used to select specific event properties, and rename them as desired.[3]

$events = Get-WinEvent -FilterHashTable @{LogName='System'; Level=2; StartTime=(Get-Date).AddDays(-30)}
$events | Select-Object @{Name='Time';Expression={$_.'TimeCreated'}},
    @{Name="Source";Expression={$_.'ProviderName'}},
    @{Name="Event";Expression={$_.'Id'}}

New-EventLog

edit

The New-EventLog cmdlet creates a new classic event log on a local or remote computer. It can also register an event source that writes to the new log or to an existing log.[4]

New-EventLog -LogName 'PowerShell Scripts' -Source 'My Script'

Write-EventLog

edit

The Write-EventLog cmdlet writes an event to an event log.[5]

$message = 'Event log entry created by PowerShell script.'
Write-EventLog -LogName 'PowerShell Scripts' -Source 'My Script' -EntryType Information -EventId '1' -Category 0 -Message $message

Show-EventLog

edit

The Show-EventLog cmdlet opens Event Viewer on the local computer and displays in it all of the classic event logs on the local computer or a remote computer.[6]

Show-EventLog

Limit-EventLog

edit

The Limit-EventLog cmdlet sets the maximum size of a classic event log, how long each event must be retained, and what happens when the log reaches its maximum size.[7]

Limit-EventLog -LogName 'PowerShell Scripts' -MaximumSize 1MB

Clear-EventLog

edit

The Clear-EventLog cmdlet deletes all of the entries from the specified event logs on the local computer or on remote computers.[8]

Clear-EventLog -LogName 'PowerShell Scripts'

Remove-EventLog

edit

The Remove-EventLog cmdlet deletes an event log file from a local or remote computer and unregisters all of its event sources for the log. CAUTION: This cmdlet can delete operating system event logs, which might result in application failures and unexpected system behavior.[9]

Remove-EventLog -LogName 'PowerShell Scripts' -Confirm

Activities

edit
  1. Review Microsoft TechNet: Processing Event Logs in PowerShell. Create a script that uses Get-WinEvent to retrieve Windows events:
    • Filter events to select both warning and error events (levels 2 and 3) for the previous 24 hours (1 day).
    • Use Format-List * to see all available event properties and their default names. For the script, select only the properties for Level, Time, Source, Event, Task, and Message and label them accordingly.
    • Use Sort-Object to sort the events in ascending order by time.
    • Use Format-List to format the events as a list and then use Out-String to format the output so that it does not exceed 100 characters in width.
  2. Review Microsoft TechNet: Use PowerShell to Create and to Use a New Event Log and How to Use PowerShell to Write to Event Logs. Create a script that uses a new event log:
    • Use New-EventLog to create a new event log and event source.
    • Use Write-EventLog to add an event to the new event log.
    • Use Limit-EventLog to limit the size of the new event log to 1MB.
    • Use Show-EventLog to view the new log and event in the Event Viewer. View properties for the log to verify the size limit.
  3. Review Microsoft TechNet: PowerShell.exe Command-Line Help and Microsoft TechNet: Trigger a PowerShell Script from a Windows Event. Create a script that responds to an event:
    • Create a new script with a single line of Show-EventLog. Save the file with a simple path and filename, such as c:\Events.ps1.
    • Run the Events.ps1 script to verify that it opens the Event Viewer. View the new log and event in the Event Viewer.
    • In Event Viewer use Attach Task to This Event to start PowerShell.exe with the arguments -file C:\Events.ps1 to run your script when the event occurs.
    • Open Task Scheduler and confirm that your task has been added to Event Viewer Tasks in the Task Scheduler Library.
    • Close Event Viewer.
    • Use Write-Event to add the same event to the event log again. Confirm that the event causes Event Viewer to be displayed.
    • Use Clear-EventLog to clear the event log. Refresh the view in Event Viewer to confirm that the log was cleared.
    • Use Remove-EventLog to remove the event log. Be sure to use the -Confirm option to confirm which log is being removed, and then refresh the view in Event Viewer to confirm that the log was removed.
    • Clean up by using Task Scheduler to delete the Event Viewer Task and using Windows Explorer to delete the C:\Events.ps1 script file.

Lesson Summary

edit
  • Event Viewer lets administrators and users view the event logs on a local or remote Windows computer.[10]
  • Applications and operating-system components can use the centralized event log service to report events that have taken place.[11]
  • Event logs can be remotely viewed from other computers and multiple event logs can be centrally logged and monitored agentlessly and managed from a single computer.[12]
  • Events can also be directly associated with tasks, which run in the Task Scheduler and trigger automated actions when particular events take place.[13]
  • The Get-EventLog cmdlet gets events and event logs on local and remote computers. Get-EventLog works only on classic event logs. To get events from logs that use the Windows Event Log technology in Windows Vista and later versions of Windows, use Get-WinEvent.[14]
  • The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista.[15]
  • The Select-Object cmdlet may be used to select specific event properties, and rename them as desired.[16]
  • The New-EventLog cmdlet creates a new classic event log on a local or remote computer. It can also register an event source that writes to the new log or to an existing log.[17]
  • The Write-EventLog cmdlet writes an event to an event log.[18]
  • The Show-EventLog cmdlet opens Event Viewer on the local computer and displays in it all of the classic event logs on the local computer or a remote computer.[19]
  • The Limit-EventLog cmdlet sets the maximum size of a classic event log, how long each event must be retained, and what happens when the log reaches its maximum size.[20]
  • The Clear-EventLog cmdlet deletes all of the entries from the specified event logs on the local computer or on remote computers.[21]
  • The Remove-EventLog cmdlet deletes an event log file from a local or remote computer and unregisters all of its event sources for the log.[22]
  • The PowerShell.exe command-line parameter -File <script> runs the specified script.[23]

Key Terms

edit
Task Scheduler
A component of Microsoft Windows that provides the ability to schedule the launch of programs or scripts at pre-defined times or after specified time intervals.[24]

Review Questions

edit
Enable JavaScript to hide answers.
Click on a question to see the answer.
1. Event Viewer _____.
Event Viewer lets administrators and users view the event logs on a local or remote Windows computer.
2. Applications and operating-system components can use the centralized event log service to _____.
Applications and operating-system components can use the centralized event log service to report events that have taken place.
3. Event logs can be _____ from other computers and multiple event logs can be _____ from a single computer.
Event logs can be remotely viewed from other computers and multiple event logs can be centrally logged and monitored agentlessly and managed from a single computer.
4. Events can be directly associated with _____, which _____.
Events can be directly associated with tasks, which run in the Task Scheduler and trigger automated actions when particular events take place.
5. The Get-EventLog cmdlet _____.
The Get-EventLog cmdlet gets events and event logs on local and remote computers.
6. Get-EventLog works only on _____.
Get-EventLog works only on classic event logs.
7. To get events from logs that use the Windows Event Log technology in Windows Vista and later versions of Windows, use _____.
To get events from logs that use the Windows Event Log technology in Windows Vista and later versions of Windows, use Get-WinEvent.
8. The Get-WinEvent cmdlet _____.
The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista.
9. The Select-Object cmdlet _____.
The Select-Object cmdlet may be used to select specific event properties, and rename them as desired.
10. The New-EventLog cmdlet _____.
The New-EventLog cmdlet creates a new classic event log on a local or remote computer. It can also register an event source that writes to the new log or to an existing log.
11. The Write-EventLog cmdlet _____.
The Write-EventLog cmdlet writes an event to an event log.
12. The Show-EventLog cmdlet _____.
The Show-EventLog cmdlet opens Event Viewer on the local computer and displays in it all of the classic event logs on the local computer or a remote computer.
13. The Limit-EventLog cmdlet _____.
The Limit-EventLog cmdlet sets the maximum size of a classic event log, how long each event must be retained, and what happens when the log reaches its maximum size.
14. The Clear-EventLog cmdlet _____.
The Clear-EventLog cmdlet deletes all of the entries from the specified event logs on the local computer or on remote computers.
15. The Remove-EventLog cmdlet _____.
The Remove-EventLog cmdlet deletes an event log file from a local or remote computer and unregisters all of its event sources for the log.
16. The PowerShell.exe command-line parameter _____ runs the specified script.
The PowerShell.exe command-line parameter -File <script> runs the specified script.

Assessments

edit

See Also

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.