Bird
Raised Fist0
PowerShellscripting~30 mins

Event log reading in PowerShell - Mini Project: Build & Apply

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Event log reading
📖 Scenario: You are a system administrator who needs to check recent events on a Windows computer to understand system behavior and troubleshoot issues.
🎯 Goal: Build a PowerShell script that reads the Windows event log, filters events by a specific event ID, and displays the filtered events.
📋 What You'll Learn
Create a variable with the name logName and set it to the string 'System'.
Create a variable with the name eventId and set it to the number 6005.
Use Get-WinEvent with a filter hashtable to get events from logName with the specified eventId.
Store the filtered events in a variable called filteredEvents.
Print the filteredEvents variable to display the events.
💡 Why This Matters
🌍 Real World
System administrators often need to check event logs to diagnose system problems or monitor system health.
💼 Career
Knowing how to read and filter event logs is a key skill for IT support, system administration, and cybersecurity roles.
Progress0 / 4 steps
1
Set the event log name
Create a variable called logName and set it to the string 'System'.
PowerShell
Hint

Use = to assign the string 'System' to the variable logName.

2
Set the event ID to filter
Create a variable called eventId and set it to the number 6005.
PowerShell
Hint

Assign the number 6005 to the variable eventId.

3
Get filtered events from the event log
Use Get-WinEvent with a filter hashtable to get events from logName with the specified eventId. Store the result in a variable called filteredEvents.
PowerShell
Hint

Use -FilterHashtable @{LogName=$logName; Id=$eventId} to filter events.

4
Display the filtered events
Print the variable filteredEvents to display the filtered event log entries.
PowerShell
Hint

Simply type the variable name $filteredEvents to print its contents.

Practice

(1/5)
1. What does the PowerShell cmdlet Get-EventLog primarily do?
easy
A. It creates new event logs on the system.
B. It retrieves entries from Windows event logs.
C. It deletes all event logs from the system.
D. It updates the event log service configuration.

Solution

  1. Step 1: Understand the purpose of Get-EventLog

    The cmdlet is designed to read and retrieve event log entries from Windows logs.

  2. Step 2: Compare with other options

    Creating, deleting, or updating logs are not functions of Get-EventLog; it only reads logs.

  3. Final Answer:

    It retrieves entries from Windows event logs. -> Option B

  4. Quick Check:

    Get-EventLog reads logs = A [OK]
Hint: Get-EventLog always reads logs, not modifies them [OK]
Common Mistakes:
  • Confusing reading logs with creating or deleting logs
  • Thinking it modifies event log settings
  • Assuming it works for non-Windows logs
2. Which of the following is the correct syntax to get the last 10 entries from the System event log in PowerShell?
easy
A. Get-EventLog -LogName System -Last 10
B. Get-EventLog -LogName System -Newest 10
C. Get-EventLog -Log System -Last 10
D. Get-EventLog -LogName System -Top 10

Solution

  1. Step 1: Identify correct parameter for log name

    The parameter to specify the log is '-LogName', so Get-EventLog -Log System -Last 10 is incorrect because it uses '-Log'.

  2. Step 2: Identify correct parameter for number of entries

    The correct parameter to get recent entries is '-Last', not '-Newest' or '-Top'.

  3. Final Answer:

    Get-EventLog -LogName System -Last 10 -> Option A

  4. Quick Check:

    Use -LogName and -Last for recent entries [OK]
Hint: Use -LogName and -Last to get recent events [OK]
Common Mistakes:
  • Using -Log instead of -LogName
  • Using -Newest or -Top which are invalid parameters
  • Mixing parameter names
3. What will be the output of this PowerShell command?
Get-EventLog -LogName Application -EntryType Error -Newest 2 | Select-Object -Property TimeGenerated, Source
medium
A. An error because Select-Object cannot be used after Get-EventLog.
B. All events from the Application log regardless of type.
C. The two most recent error events from the Application log showing their time and source.
D. The two oldest error events from the Application log with full details.

Solution

  1. Step 1: Analyze Get-EventLog parameters

    The command filters Application log entries to only 'Error' type and selects the newest 2 entries.

  2. Step 2: Understand Select-Object usage

    Select-Object limits output to only TimeGenerated and Source properties for those entries.

  3. Final Answer:

    The two most recent error events from the Application log showing their time and source. -> Option C

  4. Quick Check:

    Filters + selects properties = recent errors with time and source [OK]
Hint: Newest + EntryType filters recent errors; Select-Object picks fields [OK]
Common Mistakes:
  • Thinking it shows all events, not filtered
  • Confusing newest with oldest entries
  • Believing Select-Object causes errors here
4. You run this command but get an error:
Get-EventLog -LogName Security -EntryType Warning

What is the most likely cause?
medium
A. The Security log does not support filtering by EntryType Warning.
B. The -EntryType parameter is misspelled.
C. Get-EventLog cannot read the Security log at all.
D. You need to specify -Newest with -EntryType.

Solution

  1. Step 1: Understand Security log restrictions

    The Security log often does not support filtering by EntryType Warning because it mainly contains Audit Success or Failure events.

  2. Step 2: Check parameter correctness and usage

    The parameter is spelled correctly and Get-EventLog can read Security logs, so those are not causes.

  3. Final Answer:

    The Security log does not support filtering by EntryType Warning. -> Option A

  4. Quick Check:

    Security log limits EntryType filters = C [OK]
Hint: Security log has limited EntryType filters, no Warning [OK]
Common Mistakes:
  • Assuming EntryType is misspelled
  • Thinking Get-EventLog can't read Security log
  • Believing -Newest is required with -EntryType
5. You want to find all error events from the System log in the last 24 hours and export their TimeGenerated, Source, and Message to a CSV file. Which script correctly does this?
hard
A. Get-EventLog -LogName System | Where-Object { $_.EntryType -eq 'Error' -and $_.TimeGenerated -lt (Get-Date).AddDays(-1) } | Export-Csv -Path errors.csv
B. Get-EventLog -LogName System -EntryType Error -After (Get-Date).AddDays(-1) | Select-Object TimeGenerated, Source, Message | Export-Csv errors.csv
C. Get-EventLog -LogName System -EntryType Error -Newest 24 | Select TimeGenerated, Source, Message | Export-Csv -Path errors.csv
D. Get-EventLog -LogName System -EntryType Error | Where-Object { $_.TimeGenerated -gt (Get-Date).AddDays(-1) } | Select-Object TimeGenerated, Source, Message | Export-Csv -Path errors.csv -NoTypeInformation

Solution

  1. Step 1: Filter errors and time correctly

    Get-EventLog -LogName System -EntryType Error | Where-Object { $_.TimeGenerated -gt (Get-Date).AddDays(-1) } | Select-Object TimeGenerated, Source, Message | Export-Csv -Path errors.csv -NoTypeInformation uses Get-EventLog with EntryType Error, then filters events generated within last 24 hours using Where-Object and Get-Date().AddDays(-1).

  2. Step 2: Select needed properties and export

    It selects TimeGenerated, Source, and Message, then exports to CSV with -NoTypeInformation to avoid extra type info.

  3. Step 3: Check other options for errors

    Get-EventLog -LogName System -EntryType Error -After (Get-Date).AddDays(-1) | Select-Object TimeGenerated, Source, Message | Export-Csv errors.csv uses invalid -After parameter (not supported by Get-EventLog). Get-EventLog -LogName System -EntryType Error -Newest 24 | Select TimeGenerated, Source, Message | Export-Csv -Path errors.csv uses -Newest 24 which gets last 24 entries, not last 24 hours. Get-EventLog -LogName System | Where-Object { $_.EntryType -eq 'Error' -and $_.TimeGenerated -lt (Get-Date).AddDays(-1) } | Export-Csv -Path errors.csv filters for events older than 24 hours (-lt), opposite of requirement.

  4. Final Answer:

    Get-EventLog -LogName System -EntryType Error | Where-Object { $_.TimeGenerated -gt (Get-Date).AddDays(-1) } | Select-Object TimeGenerated, Source, Message | Export-Csv -Path errors.csv -NoTypeInformation -> Option D

  5. Quick Check:

    Filter by EntryType + Where-Object time + Select + Export-Csv = A [OK]
Hint: Use Where-Object with TimeGenerated for date filtering [OK]
Common Mistakes:
  • Using unsupported -After parameter with Get-EventLog
  • Confusing -Newest with time filtering
  • Filtering with wrong time comparison operator