Bird
Raised Fist0
PowerShellscripting~5 mins

Event log reading in PowerShell - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the PowerShell cmdlet used to read Windows event logs?
The cmdlet is <code>Get-EventLog</code>. It lets you read entries from Windows event logs like Application, System, and Security.
Click to reveal answer
beginner
How do you specify which event log to read in PowerShell?
Use the -LogName parameter with Get-EventLog. For example, Get-EventLog -LogName System reads the System log.
Click to reveal answer
beginner
What parameter limits the number of event log entries returned?
The -Newest parameter limits how many recent entries you get. For example, -Newest 10 returns the last 10 events.
Click to reveal answer
intermediate
How can you filter event logs by event ID in PowerShell?
Use the -InstanceId parameter with Get-EventLog. For example, Get-EventLog -LogName Application -InstanceId 1000 shows events with ID 1000.
Click to reveal answer
intermediate
What is a simple way to read event logs and display only the message and time generated?
You can pipe Get-EventLog to Select-Object like this: Get-EventLog -LogName System -Newest 5 | Select-Object TimeGenerated, Message. This shows only the time and message of the last 5 events.
Click to reveal answer
Which cmdlet reads Windows event logs in PowerShell?
AShow-Log
BRead-Event
CGet-EventLog
DFetch-Event
How do you get the last 20 entries from the System log?
AGet-EventLog -LogName System -Newest 20
BGet-EventLog -LogName System -Last 20
CGet-EventLog -System -Count 20
DGet-EventLog -Log System -Top 20
Which parameter filters events by event ID?
A-EventId
B-Id
C-FilterId
D-InstanceId
What does this command do? Get-EventLog -LogName Application | Select-Object TimeGenerated, Message
AShows all Application events with only time and message
BDeletes Application events
CCreates a new event log
DFilters events by time
Which log name is NOT a default Windows event log?
ASystem
BUserEvents
CSecurity
DApplication
Explain how to read the last 10 entries from the System event log using PowerShell.
Think about the cmdlet and parameters to specify log and number of entries.
You got /4 concepts.
    Describe how to filter event log entries by event ID in PowerShell.
    Which parameter helps select events by their ID?
    You got /3 concepts.

      Practice

      (1/5)
      1. What does the PowerShell cmdlet Get-EventLog primarily do?
      easy
      A. It creates new event logs on the system.
      B. It retrieves entries from Windows event logs.
      C. It deletes all event logs from the system.
      D. It updates the event log service configuration.

      Solution

      1. Step 1: Understand the purpose of Get-EventLog

        The cmdlet is designed to read and retrieve event log entries from Windows logs.

      2. Step 2: Compare with other options

        Creating, deleting, or updating logs are not functions of Get-EventLog; it only reads logs.

      3. Final Answer:

        It retrieves entries from Windows event logs. -> Option B

      4. Quick Check:

        Get-EventLog reads logs = A [OK]
      Hint: Get-EventLog always reads logs, not modifies them [OK]
      Common Mistakes:
      • Confusing reading logs with creating or deleting logs
      • Thinking it modifies event log settings
      • Assuming it works for non-Windows logs
      2. Which of the following is the correct syntax to get the last 10 entries from the System event log in PowerShell?
      easy
      A. Get-EventLog -LogName System -Last 10
      B. Get-EventLog -LogName System -Newest 10
      C. Get-EventLog -Log System -Last 10
      D. Get-EventLog -LogName System -Top 10

      Solution

      1. Step 1: Identify correct parameter for log name

        The parameter to specify the log is '-LogName', so Get-EventLog -Log System -Last 10 is incorrect because it uses '-Log'.

      2. Step 2: Identify correct parameter for number of entries

        The correct parameter to get recent entries is '-Last', not '-Newest' or '-Top'.

      3. Final Answer:

        Get-EventLog -LogName System -Last 10 -> Option A

      4. Quick Check:

        Use -LogName and -Last for recent entries [OK]
      Hint: Use -LogName and -Last to get recent events [OK]
      Common Mistakes:
      • Using -Log instead of -LogName
      • Using -Newest or -Top which are invalid parameters
      • Mixing parameter names
      3. What will be the output of this PowerShell command?
      Get-EventLog -LogName Application -EntryType Error -Newest 2 | Select-Object -Property TimeGenerated, Source
      medium
      A. An error because Select-Object cannot be used after Get-EventLog.
      B. All events from the Application log regardless of type.
      C. The two most recent error events from the Application log showing their time and source.
      D. The two oldest error events from the Application log with full details.

      Solution

      1. Step 1: Analyze Get-EventLog parameters

        The command filters Application log entries to only 'Error' type and selects the newest 2 entries.

      2. Step 2: Understand Select-Object usage

        Select-Object limits output to only TimeGenerated and Source properties for those entries.

      3. Final Answer:

        The two most recent error events from the Application log showing their time and source. -> Option C

      4. Quick Check:

        Filters + selects properties = recent errors with time and source [OK]
      Hint: Newest + EntryType filters recent errors; Select-Object picks fields [OK]
      Common Mistakes:
      • Thinking it shows all events, not filtered
      • Confusing newest with oldest entries
      • Believing Select-Object causes errors here
      4. You run this command but get an error:
      Get-EventLog -LogName Security -EntryType Warning

      What is the most likely cause?
      medium
      A. The Security log does not support filtering by EntryType Warning.
      B. The -EntryType parameter is misspelled.
      C. Get-EventLog cannot read the Security log at all.
      D. You need to specify -Newest with -EntryType.

      Solution

      1. Step 1: Understand Security log restrictions

        The Security log often does not support filtering by EntryType Warning because it mainly contains Audit Success or Failure events.

      2. Step 2: Check parameter correctness and usage

        The parameter is spelled correctly and Get-EventLog can read Security logs, so those are not causes.

      3. Final Answer:

        The Security log does not support filtering by EntryType Warning. -> Option A

      4. Quick Check:

        Security log limits EntryType filters = C [OK]
      Hint: Security log has limited EntryType filters, no Warning [OK]
      Common Mistakes:
      • Assuming EntryType is misspelled
      • Thinking Get-EventLog can't read Security log
      • Believing -Newest is required with -EntryType
      5. You want to find all error events from the System log in the last 24 hours and export their TimeGenerated, Source, and Message to a CSV file. Which script correctly does this?
      hard
      A. Get-EventLog -LogName System | Where-Object { $_.EntryType -eq 'Error' -and $_.TimeGenerated -lt (Get-Date).AddDays(-1) } | Export-Csv -Path errors.csv
      B. Get-EventLog -LogName System -EntryType Error -After (Get-Date).AddDays(-1) | Select-Object TimeGenerated, Source, Message | Export-Csv errors.csv
      C. Get-EventLog -LogName System -EntryType Error -Newest 24 | Select TimeGenerated, Source, Message | Export-Csv -Path errors.csv
      D. Get-EventLog -LogName System -EntryType Error | Where-Object { $_.TimeGenerated -gt (Get-Date).AddDays(-1) } | Select-Object TimeGenerated, Source, Message | Export-Csv -Path errors.csv -NoTypeInformation

      Solution

      1. Step 1: Filter errors and time correctly

        Get-EventLog -LogName System -EntryType Error | Where-Object { $_.TimeGenerated -gt (Get-Date).AddDays(-1) } | Select-Object TimeGenerated, Source, Message | Export-Csv -Path errors.csv -NoTypeInformation uses Get-EventLog with EntryType Error, then filters events generated within last 24 hours using Where-Object and Get-Date().AddDays(-1).

      2. Step 2: Select needed properties and export

        It selects TimeGenerated, Source, and Message, then exports to CSV with -NoTypeInformation to avoid extra type info.

      3. Step 3: Check other options for errors

        Get-EventLog -LogName System -EntryType Error -After (Get-Date).AddDays(-1) | Select-Object TimeGenerated, Source, Message | Export-Csv errors.csv uses invalid -After parameter (not supported by Get-EventLog). Get-EventLog -LogName System -EntryType Error -Newest 24 | Select TimeGenerated, Source, Message | Export-Csv -Path errors.csv uses -Newest 24 which gets last 24 entries, not last 24 hours. Get-EventLog -LogName System | Where-Object { $_.EntryType -eq 'Error' -and $_.TimeGenerated -lt (Get-Date).AddDays(-1) } | Export-Csv -Path errors.csv filters for events older than 24 hours (-lt), opposite of requirement.

      4. Final Answer:

        Get-EventLog -LogName System -EntryType Error | Where-Object { $_.TimeGenerated -gt (Get-Date).AddDays(-1) } | Select-Object TimeGenerated, Source, Message | Export-Csv -Path errors.csv -NoTypeInformation -> Option D

      5. Quick Check:

        Filter by EntryType + Where-Object time + Select + Export-Csv = A [OK]
      Hint: Use Where-Object with TimeGenerated for date filtering [OK]
      Common Mistakes:
      • Using unsupported -After parameter with Get-EventLog
      • Confusing -Newest with time filtering
      • Filtering with wrong time comparison operator