Wahmans Powershell Blog

Get-WinEvent

Diving Into Get-WinEvent in PowerShell

Welcome back to Wahmans PowerShell Blog! Today we’re taking a closer look at an extremely useful cmdlet for working with the Windows Event Log: Get-WinEvent.

What is Get-WinEvent?

The Get-WinEvent cmdlet is a flexible and powerful tool for retrieving events from local and remote event logs and event tracing log files. Whether you’re troubleshooting a system issue, gathering security audit logs, or just want to automate monitoring tasks, this cmdlet should be in your toolbox.

Example 1: Get the Latest Events from the System Log

This example is a great starting point for beginners. Here, we retrieve the 10 latest events from the System log.

Get-WinEvent -LogName System -MaxEvents 10

This will output the 10 most recent entries in the System log.

Example 2: Filtering Events by ID

Now let’s filter what we get more precisely. For instance, to find events with event ID 100 from the Application log:

Get-WinEvent -FilterHashtable @{LogName='Application'; Id=100}

This is great for pinpointing specific types of events like application start messages or service errors.

Example 3: Filtering by Date and Time Range

This example shows a more intermediate usage: filter System log entries by a time range.

$start = (Get-Date).AddDays(-1)
$end = Get-Date
Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=$start; EndTime=$end}

This will gather events that occurred within the last 24 hours.

Example 4: Getting Events from a Remote Computer

For those looking to go advanced — you can even gather logs from a remote machine:

$session = New-PSSession -ComputerName 'RemotePC' -Credential (Get-Credential)
Invoke-Command -Session $session -ScriptBlock {
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 5
}

This fetches the last five failed logon attempts (event ID 4625) from the Security log on the remote computer RemotePC.

Wrap Up

As you can see, Get-WinEvent offers a robust way to interact with the Windows Event Logs, ranging from fetching simple recent system events to retrieving filtered audit logs from remote machines. It’s a fantastic cmdlet for both beginner scripting tasks and more advanced automation workflows.

Happy scripting, and I will see you in the next post!

Leave a Reply

Your email address will not be published. Required fields are marked *