TABLE OF CONTENTS
SYNOPSIS
Gets events from event logs and event tracing log files on local and remote computers.
DESCRIPTION
The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).
Without parameters, a Get-WinEvent command gets all the events from all the event logs on the computer. To interrupt the command, press CTRL + C.
Get-WinEvent also lists event logs and event log providers. You can get events from selected logs or from logs generated by selected event providers. And, you can combine events from multiple sources in a single command. Get-WinEvent allows you to filter events by using XPath queries, structured XML queries, and simplified hash-table queries.
SYNTAX
Get-WinEvent [[-LogName] <String[]>] [-ComputerName <String>] [-Credential <PSCredential>]
[-FilterXPath <String>] [-Force] [-MaxEvents <Int64>] [-Oldest] [<CommonParameters>]
Get-WinEvent [-ListProvider] <String[]> [-ComputerName <String>] [-Credential <PSCredential>] [<CommonParameters>]
Get-WinEvent [-ProviderName] <String[]> [-ComputerName <String>] [-Credential <PSCredential>] [-FilterXPath <String>] [-Force]
[-MaxEvents <Int64>] [-Oldest] [<CommonParameters>]
Get-WinEvent [-ListLog] <String[]> [-ComputerName <String>] [-Credential <PSCredential>] [-Force] [<CommonParameters>]
Get-WinEvent [-FilterHashtable] <Hashtable[]> [-ComputerName <String>] [-Credential <PSCredential>] [-Force] [-MaxEvents <Int64>]
[-Oldest] [<CommonParameters>]
Get-WinEvent [-FilterXml] <XmlDocument> [-ComputerName <String>] [-Credential <PSCredential>] [-MaxEvents <Int64>]
[-Oldest] [<CommonParameters>]
Get-WinEvent [-Path] <String[]> [-Credential <PSCredential>] [-FilterXPath <String>] [-MaxEvents <Int64>]
[-Oldest] [<CommonParameters>]
REAL-WORLD EXAMPLES
Get-WinEvent -FilterHashtable @{logname='system'; level=2,3} -MaxEvents 50
- creates a table of events with event source highlighted
- limits output to last 50 items from the system log
- selects only warning and critical items
Event Log levels
| Name | Value |
|---|---|
| verbose | 5 |
| Informational | 4 |
| Warning | 3 |
| Critical | 2 |
| Log Always | 1 |
Event Log DisplayNames
- Information
- Warning
- Critical
- Error
- Verbose
Get-WinEvent -ComputerName Server01 -FilterHashtable @{logname='system','application'; level=2,3} -MaxEvents 50 | more
- Grabs error and warning event logs from Server01
- limits to last 50 events
- saves results to a hashtable
get-winevent -ComputerName Server01 -log Microsoft-Windows-GroupPolicy/Operational -MaxEvents 50 | out-gridview
- grabs events from Group Policy Operational Log on Server01
- limits to 50 newest events
$date1: [datetime]"4/27/2018"
$date2: [datetime]"4/28/2018"
Get-WinEvent -FilterHashtable @{logname='application'; level=1,2,3} -ComputerName server01 |
Where-Object {$_.TimeCreated -gt $date1 -and $_.timecreated -lt $date2} | out-gridview
- grabs events application log events from computer named server01 that occurred between 4/27 & 4/28/2018
- displays the list in gridview format
