Searching the Event Viewer


Reading the Event Viewer is always useful to find error messages and poke around looking for clues to what's happening on the server.

The problem is that the interface is slow, not easy to filter results, and it's cumbersome to only see results corresponding to a specific timeframe. Once we get familiar with the powershell cmdlets, it becomes an efficient way to read the Event Viewer logs.

To read the event log, use the cmdlet Get-EventLog. Next choose if you want log you want to read using -LogName Application or -LogName System or -Logname Security

You can mix and match pretty much all of the parameters and techniques below:

  • If you want the 10 -newest events:
Get-EventLog -LogName Application -Newest 10
  • To actually read the messages, pipe the output to a Formatted list, and use the -Property to select what to see (use wild cards to see them all):
Get-EventLog -LogName Application -Newest 10 | Format-List -Property EntryType, Message, Source, TimeWritten
  • If you have too many results on your screen, you can use Out-Host -Paging, very similar to the "more" command in a Unix shell, to "page out" through your results
Get-EventLog -LogName Application -Newest 100 | Out-Host -Paging


Now that you can display your logs, we'll work on filtering the results:

  • The first set of useful filter is the -BEFORE and -AFTER parameters. Per example if you want the events between two dates:
Get-EVentLog -LogName Application -Before '02/22/2016 15:00' -After '02/22/2016 12:00'
  • I really like to use -BEFORE with -NEWEST, so I can get "all 10 previous events prior to the date in BEFORE".
Get-EVentLog -LogName Application -Before '02/22/2016 15:00' -Newest 10
  • The -EntryType is useful to only see certain type. It accepts entries such as Error, Information, FailureAudit, SuccessAudit, and Warning. For Example, if you want to see the entries, but not having to sift through the "Login Successful" entries, you can specify what to you want to see:
Get-EventLog -LogName Application -Newest 20 -EntryType 'Error','Information','FailureAudit','Warning'
  • To list events only from a specific -source, like MSSQLSERVER$
Get-EventLog -LogName Application -Newest 20 -EntryType 'Error','Information','FailureAudit','Warning' -Source MSSQL*
  • To search for a string, like "error" within the -message:
Get-EventLog -LogName Application -Newest 20 -EntryType 'Error','Information','FailureAudit','Warning' -Message '*error*'
  • However, if you want to search and filter out some strings, you will need to pipe the objects to a filter using where-Object
Get-EventLog -LogName Application -EntryType 'Error','Information','FailureAudit','Warning' -Newe
st 20 | Where-Object {$_.Message -notlike "Security policies*" -and $_.Message -notlike "Error reading*"}

  • Lastly, since most servers clear or recycle the event log, It's always important to know what's the earliest event recorded… and you know that by running:
Get-EventLog -LogName System -message '*cleared.'

or you can also filter based on source:

Get-EventLog -LogName System -Soruce '*Event'

Leave a Reply

Your email address will not be published. Required fields are marked *