Processing Event Logs in PowerShell

Processing Event Logs in PowerShell

  • Comments 8

PowerShell V2 ships with two sets of cmdlets for processing event logs, one is *-EventLog set and other is Get-WinEvent.

PS > gcm *EventLog -CommandType cmdlet

CommandType     Name                 Definition

-----------              ----                                       ----------

Cmdlet                 Clear-EventLog                 Clear-EventLog [-LogName] <String[]> [[-Computer...

Cmdlet                 Get-EventLog                   Get-EventLog [-LogName] <String> [[-InstanceId] ...

Cmdlet                 Limit-EventLog                 Limit-EventLog [-LogName] <String[]> [-ComputerN...

Cmdlet                 New-EventLog                 New-EventLog [-LogName] <String> [-Source] <Stri...

Cmdlet                 Remove-EventLog          Remove-EventLog [-LogName] <String[]> [[-Compute...

Cmdlet                 Show-EventLog               Show-EventLog [[-ComputerName] <String>] [-Verbo...

Cmdlet                 Write-EventLog               Write-EventLog [-LogName] <String> [-Source] <St...


Reading Events:

As you can see there are two cmdlets to GET events from event logs , Get-WinEvent and Get-EventLog. Having two cmdlets to do the same thing seems to be counter-intuitive and I will explain the difference between the two to remove the confusion. 


Windows Event Logs (Crimson)

Classical event logs

Etl,evt, evtx files



Yes-Only on Vista and above






As we can see, Get-WinEvent can handle a lot more that Get-EventLog does. If you are on Vista and above, Get-WinEvent is the recommend way to read the event logs, use Get-EventLog on XP and Win2k3. A quick check on the number of logs that these cmdlets can read (on Win7 RC)

PS > (Get-WinEvent -ListLog *).Count


PS > (Get-EventLog -List ).Count


 Writing Events:

Write-EventLog will write to a classical event log. You will first register the event source for the eventlog (needs elevation)

PS > new-eventlog -LogName Application -Source MySource

PS > write-eventLog -LogName Application -Message "Hello Eventing World" -Source MySource -id 1234

PS > get-eventlog -LogName Application -Source MySource


   Index                 Time                     EntryType            Source             InstanceID               Message

   -----                    ----                        ---------                 ------                 ----------                   -------

    5153                 May 20 22:01  Information           MySource    1234                             Hello Eventing World


PS > Get-Winevent -ProviderName MySource


TimeCreated                                     ProviderName                                   Id          Message

-----------                                            ------------                                             --         -------

5/20/2009 10:01:52 PM                 MySource3                                         1234     Hello Eventing World


You can also use new-eventlog to create custom event log.

PS >new-eventlog -LogName "MyLog" -Source "MySource"

 Caution: Remove-EventLog

If you want to remove event log created by new-eventlog, Remove-EventLog will do that. However you should be extremely cautious in using this cmdlet as it can also delete event logs owned by operation system like Application and System. Although elevation is required to run this cmdlet but beware that you can’t undo the removal.


Further Reading about *-EventLog


Hope it helps,

Osama Sajid, Program Manager


Leave a Comment
  • Please add 2 and 3 and type the answer here:
  • Post
  • ? Limit-EventLog ?

    Surely 'Set' would be a far better choice of verb than 'Limit'?

  • Why would you even bother to create a new cmdlet rather than enhancing get-eventlog ?  I really do appreciate the improvement and I can see why Get-WinEvent would be my choice, but I would have liked it even better if you said .. "Well, Get-eventlog on v2 can do whole lot more than what you are used to" ...


    PS > (Get-EventLog -List ).Count



    (I sound annoyed, but actually I am more curious instead)

  • Link should be

  • RT @Hogjowl : Link has been corrected. Thanks for pointing it out.

    RT @ichoudhury : You are right, it would have been a better experience if Get-EventLog did everything. However, we did this a new cmdlet because a) Windows Vista Event model is very different b) It depends on .NET 3.5 and we didn't want to add to this dependency on Get-Eventlog (which is targeted towards XP/win2k3)



  • Why do these cmdlets not work for V2 on VISTA?

    I must be missing something, but


    doesn't exist at all and

    gcm *eventlog* -commandtype cmdlet

    produces a single line describing Get_EventLog.

  • In part 1 of “ Event logs in Powershell ” we talked about differences between Get-EventLog and Get-WinEvent.

  • The problem I'm running into is when trying to create a backup (.evt) of the event log on a x64 server.  I'm unable to resolve the path for a log file unless I use the WMI class Win32_NTEventLogFile.  Which isn't a terrible thing, unfortunetly Win32_NTEventLogFile doesn't seem to know about the system logs on my x64 servers (example results below) which reside in WoW64 (not system32) folder.  




    Internet Explorer





    Internet Explorer



    Is there a similar .Net property to LogfileName that I can use when calling BackupEventLog in order to grab the file path of each event log?

    The only properties returned by get-eventlog (that I am aware of) are...














  • I need to get the Log in CSV file.

    Logname: Application, for "error" and "critical", and only for last 7 days. How to do achive this.

    I tried with below, but result not as expected.

    get-eventlog -logname application -entrytype error,critical | out-file c:/log.csv

    1. Entrytype for "Critical" not working.

    2. How to get only for last 7 days.

Page 1 of 1 (8 items)