{"id":4001,"date":"2009-05-21T00:10:00","date_gmt":"2009-05-21T00:10:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/powershell\/2009\/05\/21\/processing-event-logs-in-powershell\/"},"modified":"2019-02-18T13:12:37","modified_gmt":"2019-02-18T20:12:37","slug":"processing-event-logs-in-powershell","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/powershell\/processing-event-logs-in-powershell\/","title":{"rendered":"Processing Event Logs in PowerShell"},"content":{"rendered":"

PowerShell V2 ships with two sets of cmdlets for processing event logs, one is *-EventLog set and other is Get-WinEvent. <\/font><\/p>\n\n\n\n
\n

PS > gcm *EventLog -CommandType cmdlet<\/font><\/font><\/span><\/p>\n

CommandType     <\/span>Name                 <\/span>Definition<\/font><\/font><\/span><\/p>\n

———–     <\/span>         <\/span>—-          <\/span>                             <\/span>———-<\/font><\/font><\/span><\/p>\n

Cmdlet          <\/span>       <\/span>Clear-EventLog             <\/span>    <\/span>Clear-EventLog [-LogName] <String[]> [[-Computer…<\/font><\/font><\/span><\/p>\n

Cmdlet          <\/span>       <\/span>Get-EventLog                   <\/span>Get-EventLog [-LogName] <String> [[-InstanceId] …<\/font><\/font><\/span><\/p>\n

Cmdlet          <\/span>       <\/span>Limit-EventLog                 <\/span>Limit-EventLog [-LogName] <String[]> [-ComputerN…<\/font><\/font><\/span><\/p>\n

Cmdlet          <\/span>       <\/span>New-EventLog                 <\/span>New-EventLog [-LogName] <String> [-Source] <Stri…<\/font><\/font><\/span><\/p>\n

Cmdlet          <\/span>       <\/span>Remove-EventLog          <\/span>Remove-EventLog [-LogName] <String[]> [[-Compute…<\/font><\/font><\/span><\/p>\n

Cmdlet          <\/span>       <\/span>Show-EventLog               <\/span>Show-EventLog [[-ComputerName] <String>] [-Verbo…<\/font><\/font><\/span><\/p>\n

Cmdlet          <\/span>       <\/span>Write-EventLog               <\/span>Write-EventLog [-LogName] <String> [-Source] <St…<\/font><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/font><\/p>\n

Reading Events:<\/font><\/font><\/b><\/p>\n

As you can see there are two cmdlets to GET events from event logs , Get-WinEvent and Get-EventLog. Having two cmdlets to do the same thing seems to be counter-intuitive and I will explain the difference between the two to remove the confusion.<\/font> <\/font><\/p>\n\n\n\n\n\n
\n

 <\/font><\/p>\n<\/td>\n

\n

Windows Event Logs (Crimson)<\/font><\/p>\n<\/td>\n

\n

Classical event logs<\/font><\/p>\n<\/td>\n

\n

Etl,evt, evtx files<\/font><\/p>\n<\/td>\n<\/tr>\n

\n

Get-WinEvent<\/font><\/a><\/p>\n<\/td>\n

\n

Yes<\/font><\/p>\n<\/td>\n

\n

Yes-Only on Vista and above<\/font><\/p>\n<\/td>\n

\n

Yes<\/font><\/p>\n<\/td>\n<\/tr>\n

\n

Get-EventLog<\/font><\/a><\/p>\n<\/td>\n

\n

No<\/font><\/p>\n<\/td>\n

\n

Yes <\/font><\/p>\n<\/td>\n

\n

No<\/font><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

As we can see, Get-WinEvent can handle a lot more that Get-EventLog does. If you are on Vista and above, Get-WinEvent is the recommend way to read the event logs, use Get-EventLog on XP and Win2k3. A quick check on the number of logs that these cmdlets can read (on Win7 RC)<\/font><\/p>\n\n\n\n
\n

PS > (Get-WinEvent -ListLog *).Count<\/font><\/font><\/span><\/p>\n

160<\/font><\/font><\/span><\/p>\n

PS > (Get-EventLog -List ).Count<\/font><\/font><\/span><\/p>\n

10<\/font><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/font>Writing Events:<\/font><\/font><\/b><\/p>\n

Write-EventLog will write to a classical event log. You will first register the event source for the eventlog (needs elevation)<\/font><\/p>\n\n\n\n
\n

PS > new-eventlog -LogName Application -Source MySource<\/font><\/font><\/span><\/p>\n

PS > write-eventLog -LogName Application -Message “Hello Eventing World” -Source MySource -id 1234<\/font><\/font><\/span><\/p>\n

PS > get-eventlog -LogName Application -Source MySource<\/font><\/font><\/span><\/p>\n

 <\/font><\/span><\/p>\n

   <\/span>Index                 <\/span>Time      <\/span>               <\/span>EntryType   <\/span>         <\/span>Source             <\/span>InstanceID               <\/span>Message<\/font><\/font><\/span><\/p>\n

   <\/span>—–                    <\/span>—-          <\/span>              <\/span>———  <\/span> <\/span>              <\/span>——                 <\/span>———-                   <\/span>——-<\/font><\/font><\/span><\/p>\n

    <\/span>5153                 <\/span>May 20 22:01  <\/span>Information           <\/span>MySource    <\/span>1234                             <\/span>Hello Eventing World<\/font><\/font><\/span><\/p>\n

 <\/font><\/span><\/p>\n

PS > Get-Winevent -ProviderName MySource<\/font><\/font><\/span><\/p>\n

 <\/font><\/span><\/p>\n

TimeCreated                   <\/span>                  <\/span>ProviderName                                   <\/span>Id          <\/span>Message<\/font><\/font><\/span><\/p>\n

———–                   <\/span>                         <\/span>————                                             <\/span>—         <\/span>——-<\/font><\/font><\/span><\/p>\n

5\/20\/2009 10:01:52 PM         <\/span>        <\/span>MySource3                                         <\/span>1234     <\/span>Hello Eventing World<\/font><\/font><\/span><\/p>\n

 <\/font><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

You can also use new-eventlog to create custom event log.<\/font><\/p>\n\n\n\n
\n

PS >new-eventlog -LogName “MyLog” -Source “MySource”<\/font><\/font><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/font>Caution: Remove-EventLog<\/font><\/font><\/b><\/p>\n

If you want to remove event log created by new-eventlog, Remove-EventLog will do that. However you should be extremely cautious in using this cmdlet as it can also delete event logs owned by operation system like Application and System. Although elevation is required to run this cmdlet but beware that you can\u2019t undo the removal.<\/font><\/p>\n

 <\/font><\/p>\n

Further Reading about *-EventLog<\/font><\/p>\n

http:\/\/www.computerperformance.co.uk\/powershell\/powershell_eventlog.htm<\/a> <\/p>\n

 <\/p>\n

Hope it helps,<\/font><\/p>\n

Osama Sajid, Program Manager<\/font><\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

PowerShell V2 ships with two sets of cmdlets for processing event logs, one is *-EventLog set and other is Get-WinEvent. PS > gcm *EventLog -CommandType cmdlet CommandType     Name                 Definition ———–              —-                                       ———- Cmdlet                 Clear-EventLog                 Clear-EventLog [-LogName] <String[]> [[-Computer… Cmdlet                 Get-EventLog                   Get-EventLog [-LogName] <String> [[-InstanceId] … Cmdlet                 Limit-EventLog                 Limit-EventLog [-LogName] <String[]> […]<\/p>\n","protected":false},"author":600,"featured_media":13641,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[160,47,183,363],"class_list":["post-4001","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-powershell","tag-event-log","tag-get-eventlog","tag-get-winevent","tag-write-eventlog"],"acf":[],"blog_post_summary":"

PowerShell V2 ships with two sets of cmdlets for processing event logs, one is *-EventLog set and other is Get-WinEvent. PS > gcm *EventLog -CommandType cmdlet CommandType     Name                 Definition ———–              —-                                       ———- Cmdlet                 Clear-EventLog                 Clear-EventLog [-LogName] <String[]> [[-Computer… Cmdlet                 Get-EventLog                   Get-EventLog [-LogName] <String> [[-InstanceId] … Cmdlet                 Limit-EventLog                 Limit-EventLog [-LogName] <String[]> […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/4001","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/users\/600"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/comments?post=4001"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/4001\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media\/13641"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media?parent=4001"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/categories?post=4001"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/tags?post=4001"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}