Fun with the Get-EventLog cmdlet

The Get-EventLog cmdlet is great for working with the Windows Event Logs on local and remote computers. It includes lots of parameters that make life much easier than using the Event Viewer GUI.

To list the available logs on the local computer just execute;

?View Code POWERSHELL
Get-EventLog -List | Format-Table -AutoSize;
Max(K) Retain OverflowAction    Entries Log                   
------ ------ --------------    ------- ---                   
20,480      0 OverwriteAsNeeded  50,916 Application           
20,480      0 OverwriteAsNeeded       0 HardwareEvents        
   512      7 OverwriteOlder          0 Internet Explorer     
20,480      0 OverwriteAsNeeded       0 Key Management Service
 8,192      0 OverwriteAsNeeded      52 Media Center          
   128      0 OverwriteAsNeeded       3 OAlerts               
                                        Security              
20,480      0 OverwriteAsNeeded  56,258 System                
15,360      0 OverwriteAsNeeded   2,889 Windows PowerShell

It’s great for drilling down into the Event Logs to get the information you’re most interested in. For example, this line of Powershell gets all Errors in the Application Event Log, from the last 24 hours.

?View Code POWERSHELL
Get-EventLog -LogName Application -EntryType Error -After $(Get-Date).AddHours(-24) | Format-Table -AutoSize;

This snippet can pull out all the Event Log errors from any combination of servers and logs within the last 24 hours. Great for those morning checks!

?View Code POWERSHELL
# Set servers to query
$servers = @("server1", "server2", "server2");
# Set event logs to query
$logs = @("System", "Application");
 
Write-Host "Querying servers for event log errors in the last 24 hours...";
Write-Host "";
 
foreach($server in $servers)
{
	Write-Host $server;
	Write-Host "====================================";
	Write-Host "";
	foreach($log in $logs)
	{
		Write-Host "$log Event Log";
		Write-Host "=================";
		Get-EventLog -ComputerName $server -LogName $log -EntryType Error -After $(Get-Date).AddHours(-24) | Format-Table -AutoSize; 
	}
}
Querying servers for event log errors in the last 24 hours...

server1
====================================

System Event Log
=================

Index Time         EntryType Source                  InstanceID Message                                                  
----- ----         --------- ------                  ---------- -------                                                  
80222 Jul 26 19:56 Error     Service Control Manager 3221232472 The VMware vCenter Converter Standalone Worker service...
80221 Jul 26 19:56 Error     Service Control Manager 3221232481 A timeout was reached (30000 milliseconds) while waiti...
80220 Jul 26 19:55 Error     Service Control Manager 3221232472 The VMware vCenter Converter Standalone Server service...
80219 Jul 26 19:55 Error     Service Control Manager 3221232481 A timeout was reached (30000 milliseconds) while waiti...
80202 Jul 26 19:55 Error     Service Control Manager 3221232481 A timeout was reached (30000 milliseconds) while waiti...


Application Event Log
=================

Index Time         EntryType Source   InstanceID Message                                                                 
----- ----         --------- ------   ---------- -------                                                                 
90050 Jul 26 19:56 Error     VzCdbSvc          7 Failed to load the plug-in module. (GUID = {56F9312C-C989-4E04-8C23-2...
90048 Jul 26 19:56 Error     VzCdbSvc          7 Failed to load the plug-in module. (GUID = {48512A59-C8A5-4805-9048-2...


server2
====================================

System Event Log
=================

Index Time         EntryType Source                  InstanceID Message                                                  
----- ----         --------- ------                  ---------- -------                                                  
80222 Jul 26 19:56 Error     Service Control Manager 3221232472 The VMware vCenter Converter Standalone Worker service...
80221 Jul 26 19:56 Error     Service Control Manager 3221232481 A timeout was reached (30000 milliseconds) while waiti...
80220 Jul 26 19:55 Error     Service Control Manager 3221232472 The VMware vCenter Converter Standalone Server service...
80219 Jul 26 19:55 Error     Service Control Manager 3221232481 A timeout was reached (30000 milliseconds) while waiti...
80202 Jul 26 19:55 Error     Service Control Manager 3221232481 A timeout was reached (30000 milliseconds) while waiti...


Application Event Log
=================

Index Time         EntryType Source   InstanceID Message                                                                 
----- ----         --------- ------   ---------- -------                                                                 
90050 Jul 26 19:56 Error     VzCdbSvc          7 Failed to load the plug-in module. (GUID = {56F9312C-C989-4E04-8C23-2...
90048 Jul 26 19:56 Error     VzCdbSvc          7 Failed to load the plug-in module. (GUID = {48512A59-C8A5-4805-9048-2...


server3
====================================

System Event Log
=================

Index Time         EntryType Source                  InstanceID Message                                                  
----- ----         --------- ------                  ---------- -------                                                  
80222 Jul 26 19:56 Error     Service Control Manager 3221232472 The VMware vCenter Converter Standalone Worker service...
80221 Jul 26 19:56 Error     Service Control Manager 3221232481 A timeout was reached (30000 milliseconds) while waiti...
80220 Jul 26 19:55 Error     Service Control Manager 3221232472 The VMware vCenter Converter Standalone Server service...
80219 Jul 26 19:55 Error     Service Control Manager 3221232481 A timeout was reached (30000 milliseconds) while waiti...
80202 Jul 26 19:55 Error     Service Control Manager 3221232481 A timeout was reached (30000 milliseconds) while waiti...


Application Event Log
=================

Index Time         EntryType Source   InstanceID Message                                                                 
----- ----         --------- ------   ---------- -------                                                                 
90050 Jul 26 19:56 Error     VzCdbSvc          7 Failed to load the plug-in module. (GUID = {56F9312C-C989-4E04-8C23-2...
90048 Jul 26 19:56 Error     VzCdbSvc          7 Failed to load the plug-in module. (GUID = {48512A59-C8A5-4805-9048-2...

The GUI is dead, long live Powershell!


12 Comments

  1. […] Using Test-Path to Verify the Existence of an Object Fun with the Get-EventLog cmdlet […]

  2. Joakim says:

    Hi!

    I’ve tested some of your scripts and I am very impressed. But I have a question. How can you get more of the Message? Sometimes it is not enough room for the errormessage and I need probably 200 digits before I can get the specified errormessage on my application. I know that the errorreporting could be better but it cannot be fixed in the version of our application. Next version is much better.

    Keep up the good work!

    Best regards
    Joakim

  3. Rhys says:

    Hi Joakim,

    Get-EventLog -LogName Application -Newest 100 | Format-List will display the message better. Also you can work with the log entries one-by-one in a foreach loop and reference the message like $log_entry.Message.

    Cheers,

    Rhys

  4. Madhav says:

    how to redirect entire output of this program directly to a file

  5. Rhys says:

    Hi Madhav,

    Have a look at the Start-Transcript cmdlet.

    Cheers,

    Rhys

  6. RAVI KUMAR SINGh says:

    Iam getting below error for system event log …it goes well for Application event log

    System Event Log
    =================
    Get-EventLog : No matches found
    At F:\temp\event_log_error.ps1:31 char:3
    + Get-EventLog -ComputerName $server -LogName $log -EntryType Error -After $(Get …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (:) [Get-EventLog], ArgumentException
    + FullyQualifiedErrorId : GetEventLogNoEntriesFound,Microsoft.PowerShell.Commands.GetEventLogCommand

  7. Rhys says:

    Hi Ravi,

    Looks like you’ve just got no entries in this log. See here.

    Cheers,

    Rhys

  8. RAVI KUMAR SINGh says:

    Thanks Rhys for such a quick reply. Yes .. I saw the system log manually, seem like all perfect.

    This is totally a different question

    1) I was looking for a script which can check application pool and website status on remote servers 2012 R2 Server . I tried all way but still no success. Googled for 2 days at least to understand the error but yet no success. Any help will be highly appreciated. Below is the script ., ( Not sure how to upload , so pasting it directly .

    cls
    $farm = read-host ‘ Enter the cluster name for which you want to see app pool status ‘
    $path = “C:\gitrepos\mop-windows\config\clusters\$farm”

    if(!(Test-Path $path) )
    {
    Write-Host “farm name does not exit ” -ForegroundColor Red
    exit
    }

    $servers = Get-Content $path

    $servers |ForEach-Object {

    invoke-command -computername $_ -scriptblock {

    Write-Host $_ -ForegroundColor Red

    try{
    Import-Module WebAdministration
    Get-WebApplication

    $webapps = Get-WebApplication
    $list = @()
    foreach ($webapp in get-childitem IIS:\AppPools\)
    {
    $name = “IIS:\AppPools\” + $webapp.name
    $item = @{}

    $item.WebAppName = $webapp.name
    #$item.Version = (Get-ItemProperty $name managedRuntimeVersion).Value
    $item.State = (Get-WebAppPoolState -Name $webapp.name).Value
    #$item.UserIdentityType = $webapp.processModel.identityType
    #$item.Username = $webapp.processModel.userName
    #$item.Password = $webapp.processModel.password

    $obj = New-Object PSObject -Property $item
    $list += $obj
    }

    $list | Format-Table -a -Property “WebAppName”, “State”

    -Credential $credential;
    }
    catch
    {
    $ExceptionMessage = “Error in Line: ” + $_.Exception.Line + “. ” + $_.Exception.GetType().FullName + “: ” + $_.Exception.Message + ” Stacktrace: ” + $_.Exception.StackTrace
    $ExceptionMessage
    }
    }
    }

    just one thing , if i run the same from one of my servers in cluster, it work perfect . when i run it from a my laptop the I ran int0 issue

  9. RAVI KUMAR SINGh says:

    just forget to remove below line from script which I added as part if troubleshooting . Please remove that and try
    -Credential $credential;

  10. Rhys says:

    Hi Ravi,

    I’ve got no experience with powershell for this type of thing so anything will be guess-work. What’s the error you get? Do you have the WebAdministration module installed on your laptop?

    Cheers,

    Rhys

  11. RAVI KUMAR SINGh says:

    Yes.. I have WebAdministartion module install on both my local laptop and on the server also.
    The script worked , it was VPN issue which was not forwarding my user/password. As soon as I logged into my office network . Everything working 🙂 ..
    Thanks for quick and prompt response as always

  12. […] Using Test-Path to Verify the Existence of an Object Fun with the Get-EventLog cmdlet […]

Leave a Reply