Automating the world one-liner at a time…
PowerShell V2 ships with two sets of cmdlets for processing event logs, one is *-EventLog set and other is Get-WinEvent.
PS > gcm *EventLog -CommandType cmdlet
CommandType Name Definition
----------- ---- ----------
Cmdlet Clear-EventLog Clear-EventLog [-LogName] <String> [[-Computer...
Cmdlet Get-EventLog Get-EventLog [-LogName] <String> [[-InstanceId] ...
Cmdlet Limit-EventLog Limit-EventLog [-LogName] <String> [-ComputerN...
Cmdlet New-EventLog New-EventLog [-LogName] <String> [-Source] <Stri...
Cmdlet Remove-EventLog Remove-EventLog [-LogName] <String> [[-Compute...
Cmdlet Show-EventLog Show-EventLog [[-ComputerName] <String>] [-Verbo...
Cmdlet Write-EventLog Write-EventLog [-LogName] <String> [-Source] <St...
As you can see there are two cmdlets to GET events from event logs , Get-WinEvent and Get-EventLog. Having two cmdlets to do the same thing seems to be counter-intuitive and I will explain the difference between the two to remove the confusion.
Windows Event Logs (Crimson)
Classical event logs
Etl,evt, evtx files
Yes-Only on Vista and above
As we can see, Get-WinEvent can handle a lot more that Get-EventLog does. If you are on Vista and above, Get-WinEvent is the recommend way to read the event logs, use Get-EventLog on XP and Win2k3. A quick check on the number of logs that these cmdlets can read (on Win7 RC)
PS > (Get-WinEvent -ListLog *).Count
PS > (Get-EventLog -List ).Count
Write-EventLog will write to a classical event log. You will first register the event source for the eventlog (needs elevation)
PS > new-eventlog -LogName Application -Source MySource
PS > write-eventLog -LogName Application -Message "Hello Eventing World" -Source MySource -id 1234
PS > get-eventlog -LogName Application -Source MySource
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
5153 May 20 22:01 Information MySource 1234 Hello Eventing World
PS > Get-Winevent -ProviderName MySource
TimeCreated ProviderName Id Message
----------- ------------ -- -------
5/20/2009 10:01:52 PM MySource3 1234 Hello Eventing World
You can also use new-eventlog to create custom event log.
PS >new-eventlog -LogName "MyLog" -Source "MySource"
If you want to remove event log created by new-eventlog, Remove-EventLog will do that. However you should be extremely cautious in using this cmdlet as it can also delete event logs owned by operation system like Application and System. Although elevation is required to run this cmdlet but beware that you can’t undo the removal.
Further Reading about *-EventLog
Hope it helps,
Osama Sajid, Program Manager
? Limit-EventLog ?
Surely 'Set' would be a far better choice of verb than 'Limit'?
Why would you even bother to create a new cmdlet rather than enhancing get-eventlog ? I really do appreciate the improvement and I can see why Get-WinEvent would be my choice, but I would have liked it even better if you said .. "Well, Get-eventlog on v2 can do whole lot more than what you are used to" ...
(I sound annoyed, but actually I am more curious instead)
Link should be http://www.computerperformance.co.uk/powershell/powershell_eventlog.htm
RT @Hogjowl : Link has been corrected. Thanks for pointing it out.
RT @ichoudhury : You are right, it would have been a better experience if Get-EventLog did everything. However, we did this a new cmdlet because a) Windows Vista Event model is very different b) It depends on .NET 3.5 and we didn't want to add to this dependency on Get-Eventlog (which is targeted towards XP/win2k3)
Why do these cmdlets not work for V2 on VISTA?
I must be missing something, but
doesn't exist at all and
gcm *eventlog* -commandtype cmdlet
produces a single line describing Get_EventLog.
In part 1 of “ Event logs in Powershell ” we talked about differences between Get-EventLog and Get-WinEvent.
The problem I'm running into is when trying to create a backup (.evt) of the event log on a x64 server. I'm unable to resolve the path for a log file unless I use the WMI class Win32_NTEventLogFile. Which isn't a terrible thing, unfortunetly Win32_NTEventLogFile doesn't seem to know about the system logs on my x64 servers (example results below) which reside in WoW64 (not system32) folder.
Is there a similar .Net property to LogfileName that I can use when calling BackupEventLog in order to grab the file path of each event log?
The only properties returned by get-eventlog (that I am aware of) are...
I need to get the Log in CSV file.
Logname: Application, for "error" and "critical", and only for last 7 days. How to do achive this.
I tried with below, but result not as expected.
get-eventlog -logname application -entrytype error,critical | out-file c:/log.csv
1. Entrytype for "Critical" not working.
2. How to get only for last 7 days.