Bird
Raised Fist0
PowerShellscripting~5 mins

Event log reading in PowerShell

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

Event logs help you see what happened on your computer. Reading them lets you find problems or check important actions.

You want to check why your computer or program stopped working.
You need to see who logged into your computer and when.
You want to monitor if a program is running correctly.
You are troubleshooting errors after installing new software.
You want to keep a record of system warnings or failures.
Syntax
PowerShell
Get-EventLog -LogName <LogName> [-Newest <Number>] [-EntryType <Type>] [-After <DateTime>] [-Before <DateTime>]

-LogName is the name of the event log, like 'System' or 'Application'.

You can filter events by type (Error, Warning, Information) or by date.

Examples
Shows the 5 most recent events from the System log.
PowerShell
Get-EventLog -LogName System -Newest 5
Shows error events from the Application log in the last day.
PowerShell
Get-EventLog -LogName Application -EntryType Error -After (Get-Date).AddDays(-1)
Shows the 10 newest security events, like logins.
PowerShell
Get-EventLog -LogName Security -Newest 10
Sample Program

This script shows the last 3 error events from the System log. It prints the time, source, and message for each event.

PowerShell
Write-Host "Last 3 errors from System log:";
Get-EventLog -LogName System -EntryType Error -Newest 3 | ForEach-Object {
    Write-Host "Time:" $_.TimeGenerated;
    Write-Host "Source:" $_.Source;
    Write-Host "Message:" $_.Message;
    Write-Host "---";
}
OutputSuccess
Important Notes

You need to run PowerShell as Administrator to read some logs like Security.

Event logs can be large; filtering helps find what you need faster.

Use Get-EventLog -List to see all available logs on your system.

Summary

Event log reading helps find system or application issues.

Use Get-EventLog with filters to get specific events.

Always check the time, source, and message to understand each event.

Practice

(1/5)
1. What does the PowerShell cmdlet Get-EventLog primarily do?
easy
A. It creates new event logs on the system.
B. It retrieves entries from Windows event logs.
C. It deletes all event logs from the system.
D. It updates the event log service configuration.

Solution

  1. Step 1: Understand the purpose of Get-EventLog

    The cmdlet is designed to read and retrieve event log entries from Windows logs.

  2. Step 2: Compare with other options

    Creating, deleting, or updating logs are not functions of Get-EventLog; it only reads logs.

  3. Final Answer:

    It retrieves entries from Windows event logs. -> Option B

  4. Quick Check:

    Get-EventLog reads logs = A [OK]
Hint: Get-EventLog always reads logs, not modifies them [OK]
Common Mistakes:
  • Confusing reading logs with creating or deleting logs
  • Thinking it modifies event log settings
  • Assuming it works for non-Windows logs
2. Which of the following is the correct syntax to get the last 10 entries from the System event log in PowerShell?
easy
A. Get-EventLog -LogName System -Last 10
B. Get-EventLog -LogName System -Newest 10
C. Get-EventLog -Log System -Last 10
D. Get-EventLog -LogName System -Top 10

Solution

  1. Step 1: Identify correct parameter for log name

    The parameter to specify the log is '-LogName', so Get-EventLog -Log System -Last 10 is incorrect because it uses '-Log'.

  2. Step 2: Identify correct parameter for number of entries

    The correct parameter to get recent entries is '-Last', not '-Newest' or '-Top'.

  3. Final Answer:

    Get-EventLog -LogName System -Last 10 -> Option A

  4. Quick Check:

    Use -LogName and -Last for recent entries [OK]
Hint: Use -LogName and -Last to get recent events [OK]
Common Mistakes:
  • Using -Log instead of -LogName
  • Using -Newest or -Top which are invalid parameters
  • Mixing parameter names
3. What will be the output of this PowerShell command?
Get-EventLog -LogName Application -EntryType Error -Newest 2 | Select-Object -Property TimeGenerated, Source
medium
A. An error because Select-Object cannot be used after Get-EventLog.
B. All events from the Application log regardless of type.
C. The two most recent error events from the Application log showing their time and source.
D. The two oldest error events from the Application log with full details.

Solution

  1. Step 1: Analyze Get-EventLog parameters

    The command filters Application log entries to only 'Error' type and selects the newest 2 entries.

  2. Step 2: Understand Select-Object usage

    Select-Object limits output to only TimeGenerated and Source properties for those entries.

  3. Final Answer:

    The two most recent error events from the Application log showing their time and source. -> Option C

  4. Quick Check:

    Filters + selects properties = recent errors with time and source [OK]
Hint: Newest + EntryType filters recent errors; Select-Object picks fields [OK]
Common Mistakes:
  • Thinking it shows all events, not filtered
  • Confusing newest with oldest entries
  • Believing Select-Object causes errors here
4. You run this command but get an error:
Get-EventLog -LogName Security -EntryType Warning

What is the most likely cause?
medium
A. The Security log does not support filtering by EntryType Warning.
B. The -EntryType parameter is misspelled.
C. Get-EventLog cannot read the Security log at all.
D. You need to specify -Newest with -EntryType.

Solution

  1. Step 1: Understand Security log restrictions

    The Security log often does not support filtering by EntryType Warning because it mainly contains Audit Success or Failure events.

  2. Step 2: Check parameter correctness and usage

    The parameter is spelled correctly and Get-EventLog can read Security logs, so those are not causes.

  3. Final Answer:

    The Security log does not support filtering by EntryType Warning. -> Option A

  4. Quick Check:

    Security log limits EntryType filters = C [OK]
Hint: Security log has limited EntryType filters, no Warning [OK]
Common Mistakes:
  • Assuming EntryType is misspelled
  • Thinking Get-EventLog can't read Security log
  • Believing -Newest is required with -EntryType
5. You want to find all error events from the System log in the last 24 hours and export their TimeGenerated, Source, and Message to a CSV file. Which script correctly does this?
hard
A. Get-EventLog -LogName System | Where-Object { $_.EntryType -eq 'Error' -and $_.TimeGenerated -lt (Get-Date).AddDays(-1) } | Export-Csv -Path errors.csv
B. Get-EventLog -LogName System -EntryType Error -After (Get-Date).AddDays(-1) | Select-Object TimeGenerated, Source, Message | Export-Csv errors.csv
C. Get-EventLog -LogName System -EntryType Error -Newest 24 | Select TimeGenerated, Source, Message | Export-Csv -Path errors.csv
D. Get-EventLog -LogName System -EntryType Error | Where-Object { $_.TimeGenerated -gt (Get-Date).AddDays(-1) } | Select-Object TimeGenerated, Source, Message | Export-Csv -Path errors.csv -NoTypeInformation

Solution

  1. Step 1: Filter errors and time correctly

    Get-EventLog -LogName System -EntryType Error | Where-Object { $_.TimeGenerated -gt (Get-Date).AddDays(-1) } | Select-Object TimeGenerated, Source, Message | Export-Csv -Path errors.csv -NoTypeInformation uses Get-EventLog with EntryType Error, then filters events generated within last 24 hours using Where-Object and Get-Date().AddDays(-1).

  2. Step 2: Select needed properties and export

    It selects TimeGenerated, Source, and Message, then exports to CSV with -NoTypeInformation to avoid extra type info.

  3. Step 3: Check other options for errors

    Get-EventLog -LogName System -EntryType Error -After (Get-Date).AddDays(-1) | Select-Object TimeGenerated, Source, Message | Export-Csv errors.csv uses invalid -After parameter (not supported by Get-EventLog). Get-EventLog -LogName System -EntryType Error -Newest 24 | Select TimeGenerated, Source, Message | Export-Csv -Path errors.csv uses -Newest 24 which gets last 24 entries, not last 24 hours. Get-EventLog -LogName System | Where-Object { $_.EntryType -eq 'Error' -and $_.TimeGenerated -lt (Get-Date).AddDays(-1) } | Export-Csv -Path errors.csv filters for events older than 24 hours (-lt), opposite of requirement.

  4. Final Answer:

    Get-EventLog -LogName System -EntryType Error | Where-Object { $_.TimeGenerated -gt (Get-Date).AddDays(-1) } | Select-Object TimeGenerated, Source, Message | Export-Csv -Path errors.csv -NoTypeInformation -> Option D

  5. Quick Check:

    Filter by EntryType + Where-Object time + Select + Export-Csv = A [OK]
Hint: Use Where-Object with TimeGenerated for date filtering [OK]
Common Mistakes:
  • Using unsupported -After parameter with Get-EventLog
  • Confusing -Newest with time filtering
  • Filtering with wrong time comparison operator