Bird
Raised Fist0
PowerShellscripting~20 mins

Event log reading in PowerShell - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Event Log Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
💻 Command Output
intermediate
2:00remaining
What is the output of this PowerShell command reading event logs?
Given this command, what will it output?
PowerShell
Get-EventLog -LogName System -Newest 3 | Select-Object -Property EventID, Source
AError: The term 'Get-EventLog' is not recognized as the name of a cmdlet
B[{EventID=1001; Source=Application Error}, {EventID=7000; Source=Service Control Manager}, {EventID=6005; Source=EventLog}]
C[{EventID=1001; Source=Service Control Manager}, {EventID=7000; Source=Service Control Manager}, {EventID=6005; Source=EventLog}]
D[{EventID=4624; Source=Microsoft-Windows-Security-Auditing}, {EventID=4625; Source=Microsoft-Windows-Security-Auditing}, {EventID=4634; Source=Microsoft-Windows-Security-Auditing}]
Attempts:
2 left
💡 Hint
The System log contains events from system components like Service Control Manager.
📝 Syntax
intermediate
2:00remaining
Which option correctly filters Application log events with EventID 1000?
Select the PowerShell command that correctly gets Application log events where EventID equals 1000.
AGet-EventLog -LogName Application | Where { EventID == 1000 }
BGet-EventLog -LogName Application | Where-Object { $_.EventID -eq 1000 }
CGet-EventLog -LogName Application | Where-Object { EventID = 1000 }
DGet-EventLog -LogName Application | Where-Object { $_.EventID = 1000 }
Attempts:
2 left
💡 Hint
Remember to use $_ to refer to the current object and -eq for comparison.
🔧 Debug
advanced
2:00remaining
Why does this script fail to get Security log events?
This script returns an error: Get-EventLog -LogName Security -Newest 5 Error: Access is denied. What is the cause?
AThe user lacks administrative privileges required to read the Security log.
BThe Security log does not exist on this system.
CThe -Newest parameter is not valid for the Security log.
DThe Get-EventLog cmdlet cannot read any logs on this system.
Attempts:
2 left
💡 Hint
Security logs require special permissions to access.
🚀 Application
advanced
2:00remaining
How to export the last 10 System log events to a CSV file?
Which command exports the last 10 events from the System log to a CSV file named systemlog.csv?
AGet-EventLog -LogName System -Newest 10 > systemlog.csv
BGet-EventLog -LogName System | Select-Object -Last 10 | Export-Csv systemlog.csv
CGet-EventLog -LogName System -Last 10 | Export-Csv -Path systemlog.csv
DGet-EventLog -LogName System -Newest 10 | Export-Csv -Path systemlog.csv -NoTypeInformation
Attempts:
2 left
💡 Hint
Use the -Newest parameter and Export-Csv with -NoTypeInformation to avoid extra type info.
🧠 Conceptual
expert
2:00remaining
What is the main difference between Get-EventLog and Get-WinEvent for reading event logs?
Choose the correct statement about the difference between Get-EventLog and Get-WinEvent.
AGet-WinEvent supports newer event logs and XML filtering, while Get-EventLog only supports classic logs.
BGet-EventLog can read all event logs including Security, but Get-WinEvent cannot.
CGet-EventLog is faster and more efficient than Get-WinEvent for all logs.
DGet-WinEvent only works on Windows Server editions, not on client Windows.
Attempts:
2 left
💡 Hint
One cmdlet is newer and more powerful with advanced filtering.

Practice

(1/5)
1. What does the PowerShell cmdlet Get-EventLog primarily do?
easy
A. It creates new event logs on the system.
B. It retrieves entries from Windows event logs.
C. It deletes all event logs from the system.
D. It updates the event log service configuration.

Solution

  1. Step 1: Understand the purpose of Get-EventLog

    The cmdlet is designed to read and retrieve event log entries from Windows logs.

  2. Step 2: Compare with other options

    Creating, deleting, or updating logs are not functions of Get-EventLog; it only reads logs.

  3. Final Answer:

    It retrieves entries from Windows event logs. -> Option B

  4. Quick Check:

    Get-EventLog reads logs = A [OK]
Hint: Get-EventLog always reads logs, not modifies them [OK]
Common Mistakes:
  • Confusing reading logs with creating or deleting logs
  • Thinking it modifies event log settings
  • Assuming it works for non-Windows logs
2. Which of the following is the correct syntax to get the last 10 entries from the System event log in PowerShell?
easy
A. Get-EventLog -LogName System -Last 10
B. Get-EventLog -LogName System -Newest 10
C. Get-EventLog -Log System -Last 10
D. Get-EventLog -LogName System -Top 10

Solution

  1. Step 1: Identify correct parameter for log name

    The parameter to specify the log is '-LogName', so Get-EventLog -Log System -Last 10 is incorrect because it uses '-Log'.

  2. Step 2: Identify correct parameter for number of entries

    The correct parameter to get recent entries is '-Last', not '-Newest' or '-Top'.

  3. Final Answer:

    Get-EventLog -LogName System -Last 10 -> Option A

  4. Quick Check:

    Use -LogName and -Last for recent entries [OK]
Hint: Use -LogName and -Last to get recent events [OK]
Common Mistakes:
  • Using -Log instead of -LogName
  • Using -Newest or -Top which are invalid parameters
  • Mixing parameter names
3. What will be the output of this PowerShell command?
Get-EventLog -LogName Application -EntryType Error -Newest 2 | Select-Object -Property TimeGenerated, Source
medium
A. An error because Select-Object cannot be used after Get-EventLog.
B. All events from the Application log regardless of type.
C. The two most recent error events from the Application log showing their time and source.
D. The two oldest error events from the Application log with full details.

Solution

  1. Step 1: Analyze Get-EventLog parameters

    The command filters Application log entries to only 'Error' type and selects the newest 2 entries.

  2. Step 2: Understand Select-Object usage

    Select-Object limits output to only TimeGenerated and Source properties for those entries.

  3. Final Answer:

    The two most recent error events from the Application log showing their time and source. -> Option C

  4. Quick Check:

    Filters + selects properties = recent errors with time and source [OK]
Hint: Newest + EntryType filters recent errors; Select-Object picks fields [OK]
Common Mistakes:
  • Thinking it shows all events, not filtered
  • Confusing newest with oldest entries
  • Believing Select-Object causes errors here
4. You run this command but get an error:
Get-EventLog -LogName Security -EntryType Warning

What is the most likely cause?
medium
A. The Security log does not support filtering by EntryType Warning.
B. The -EntryType parameter is misspelled.
C. Get-EventLog cannot read the Security log at all.
D. You need to specify -Newest with -EntryType.

Solution

  1. Step 1: Understand Security log restrictions

    The Security log often does not support filtering by EntryType Warning because it mainly contains Audit Success or Failure events.

  2. Step 2: Check parameter correctness and usage

    The parameter is spelled correctly and Get-EventLog can read Security logs, so those are not causes.

  3. Final Answer:

    The Security log does not support filtering by EntryType Warning. -> Option A

  4. Quick Check:

    Security log limits EntryType filters = C [OK]
Hint: Security log has limited EntryType filters, no Warning [OK]
Common Mistakes:
  • Assuming EntryType is misspelled
  • Thinking Get-EventLog can't read Security log
  • Believing -Newest is required with -EntryType
5. You want to find all error events from the System log in the last 24 hours and export their TimeGenerated, Source, and Message to a CSV file. Which script correctly does this?
hard
A. Get-EventLog -LogName System | Where-Object { $_.EntryType -eq 'Error' -and $_.TimeGenerated -lt (Get-Date).AddDays(-1) } | Export-Csv -Path errors.csv
B. Get-EventLog -LogName System -EntryType Error -After (Get-Date).AddDays(-1) | Select-Object TimeGenerated, Source, Message | Export-Csv errors.csv
C. Get-EventLog -LogName System -EntryType Error -Newest 24 | Select TimeGenerated, Source, Message | Export-Csv -Path errors.csv
D. Get-EventLog -LogName System -EntryType Error | Where-Object { $_.TimeGenerated -gt (Get-Date).AddDays(-1) } | Select-Object TimeGenerated, Source, Message | Export-Csv -Path errors.csv -NoTypeInformation

Solution

  1. Step 1: Filter errors and time correctly

    Get-EventLog -LogName System -EntryType Error | Where-Object { $_.TimeGenerated -gt (Get-Date).AddDays(-1) } | Select-Object TimeGenerated, Source, Message | Export-Csv -Path errors.csv -NoTypeInformation uses Get-EventLog with EntryType Error, then filters events generated within last 24 hours using Where-Object and Get-Date().AddDays(-1).

  2. Step 2: Select needed properties and export

    It selects TimeGenerated, Source, and Message, then exports to CSV with -NoTypeInformation to avoid extra type info.

  3. Step 3: Check other options for errors

    Get-EventLog -LogName System -EntryType Error -After (Get-Date).AddDays(-1) | Select-Object TimeGenerated, Source, Message | Export-Csv errors.csv uses invalid -After parameter (not supported by Get-EventLog). Get-EventLog -LogName System -EntryType Error -Newest 24 | Select TimeGenerated, Source, Message | Export-Csv -Path errors.csv uses -Newest 24 which gets last 24 entries, not last 24 hours. Get-EventLog -LogName System | Where-Object { $_.EntryType -eq 'Error' -and $_.TimeGenerated -lt (Get-Date).AddDays(-1) } | Export-Csv -Path errors.csv filters for events older than 24 hours (-lt), opposite of requirement.

  4. Final Answer:

    Get-EventLog -LogName System -EntryType Error | Where-Object { $_.TimeGenerated -gt (Get-Date).AddDays(-1) } | Select-Object TimeGenerated, Source, Message | Export-Csv -Path errors.csv -NoTypeInformation -> Option D

  5. Quick Check:

    Filter by EntryType + Where-Object time + Select + Export-Csv = A [OK]
Hint: Use Where-Object with TimeGenerated for date filtering [OK]
Common Mistakes:
  • Using unsupported -After parameter with Get-EventLog
  • Confusing -Newest with time filtering
  • Filtering with wrong time comparison operator