Chapter 23. Event Logs
Introduction
Event logs form the core of most monitoring and
diagnosis on Windows. To support this activity, PowerShell offers both the
Get-EventLog and
Get-WinEvent cmdlets to let you query and
work with event log data on a system. In addition to simple event log
retrieval, PowerShell also includes many other cmdlets to create, delete,
customize, and interact with event logs.
In addition to the (now “classic”) event logs
exposed by the *-EventLog cmdlets, Windows Vista and
beyond have a significantly expanded and revamped event logging system
compared to Windows XP. The features of the new system are different
enough that we expose them through an entirely new
Get-WinEvent cmdlet. If you need to read events from
Vista-style event logs, you’ll need the Get-WinEvent
cmdlet. If you need to read events from classic event logs, the choice is
up to you.
List All Event Logs
Problem
You want to determine which event logs exist on a system.
Solution
To list all classic event logs on a system,
use the -List parameter of the
Get-EventLog cmdlet:
PS > Get-EventLog -List Max(K) Retain OverflowAction Entries Log ------ ------ -------------- ------- --- 20,480 0 OverwriteAsNeeded 1,933 Application 15,168 0 OverwriteAsNeeded 0 DFS Replication 20,480 0 OverwriteAsNeeded 0 HardwareEvents 512 7 OverwriteOlder 0 Internet Explorer 20,480 0 OverwriteAsNeeded 0 Key Management Service 8,192 0 OverwriteAsNeeded 0 Media Center 128 0 OverwriteAsNeeded 2 OAlerts 1,024 7 OverwriteOlder 424 ScriptEvents ...
Get Windows PowerShell Cookbook, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
