PowerShell and the EventViewer

With PowerShell 2.0 being released with Windows 7 and Server 2008 R2 there are plenty of fun stuff to do.  Although what I'm about to show you is not specific to PowerShell 2.0 but it a great way to pull info from the Event Viewer.

When I'm presented with a problem on a server one of the first place I go is the Event Viewer.  Sure there are ways to filter it but I'd always wanted a way to dump that filter into another file to review later on another system.  PowerShell gives you a great method for displaying events as well as saving those results to a file.

The Event Log has several cmdlets available which can be seen here:

Get-EventLog
Clear-EventLog
Write-EventLog
Limit-EventLog
Show-EventLog
New-EventLog
Remove-EventLog

As you can see you can read an write to the Event Viewer here.  The Get-EventLog cmdlet is a favorite of mine.  With it you specify which Event Log to view and off you go.  Below is an example of using that command and showing how to only list the first 20 events.

Get-Eventlog -Logname System -Newest 20

Now if you want to save that you have several options.  You can save it as a text, htm or csv file.  Realize it may take awhile to build the whole file.  Below show the commands needed to output the files.

Get-Eventlog System | Out-file c:\Temp\system.txt
Get-Eventlog System | ConvertTo-html | Out-file c:\Temp\system.htm
Get-Eventlog System | ConvertTo-csv| Out-file c:\Temp\system.csv

The great thing is you dont have to show everything.  If you want you can filter by the Event ID by using the -instanceid switch.  Below is an example.

Get-Eventlog System -instanceid 4 | Out-file c:\Temp\EventID4.txt

As you can see PowerShell is really handy when it comes to EventLog management.  The best part is I havent even talked about Remoting.  You can use PowerShell to remote into other machines in your environment running PowerShell 2.  But that is another story...