Processing Event Logs in PowerShell
PowerShell V2 ships with two sets of cmdlets for processing event logs, one is *-EventLog set and other is Get-WinEvent.
|
PS > gcm *EventLog -CommandType cmdlet
CommandType Name Definition
----------- ---- ----------
Cmdlet Clear-EventLog Clear-EventLog [-LogName] <String[]> [[-Computer...
Cmdlet Get-EventLog Get-EventLog [-LogName] <String> [[-InstanceId] ...
Cmdlet Limit-EventLog Limit-EventLog [-LogName] <String[]> [-ComputerN...
Cmdlet New-EventLog New-EventLog [-LogName] <String> [-Source] <Stri...
Cmdlet Remove-EventLog Remove-EventLog [-LogName] <String[]> [[-Compute...
Cmdlet Show-EventLog Show-EventLog [[-ComputerName] <String>] [-Verbo...
Cmdlet Write-EventLog Write-EventLog [-LogName] <String> [-Source] <St... |
Reading Events:
As you can see there are two cmdlets to GET events from event logs , Get-WinEvent and Get-EventLog. Having two cmdlets to do the same thing seems to be counter-intuitive and I will explain the difference between the two to remove the confusion.
|
|
Windows Event Logs (Crimson) |
Classical event logs |
Etl,evt, evtx files |
|
Get-WinEvent |
Yes |
Yes-Only on Vista and above |
Yes |
|
Get-EventLog |
No |
Yes |
No |
As we can see, Get-WinEvent can handle a lot more that Get-EventLog does. If you are on Vista and above, Get-WinEvent is the recommend way to read the event logs, use Get-EventLog on XP and Win2k3. A quick check on the number of logs that these cmdlets can read (on Win7 RC)
|
PS > (Get-WinEvent -ListLog *).Count
160
PS > (Get-EventLog -List ).Count
10 |
Writing Events:
Write-EventLog will write to a classical event log. You will first register the event source for the eventlog (needs elevation)
|
PS > new-eventlog -LogName Application -Source MySource
PS > write-eventLog -LogName Application -Message "Hello Eventing World" -Source MySource -id 1234
PS > get-eventlog -LogName Application -Source MySource
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
5153 May 20 22:01 Information MySource 1234 Hello Eventing World
PS > Get-Winevent -ProviderName MySource
TimeCreated ProviderName Id Message
----------- ------------ -- -------
5/20/2009 10:01:52 PM MySource3 1234 Hello Eventing World
|
You can also use new-eventlog to create custom event log.
|
PS >new-eventlog -LogName "MyLog" -Source "MySource" |
Caution: Remove-EventLog
If you want to remove event log created by new-eventlog, Remove-EventLog will do that. However you should be extremely cautious in using this cmdlet as it can also delete event logs owned by operation system like Application and System. Although elevation is required to run this cmdlet but beware that you can’t undo the removal.
Further Reading about *-EventLog
http://www.computerperformance.co.uk/powershell/powershell_eventlog.htm
Hope it helps,
Osama Sajid, Program Manager
