Powershell can provide event logs for particular events through a mix of Powershell cmdlets. The event logs could be any log including the system log, application log or the security log.
Below, we will study how to get event logs for a specific event in Powershell. In the later half of the study, we will also consider ways to export the log to a CSV file. CSV files can be very helpful in collecting significant data about the event logs.
Find event logs for a specific event in Powershell
When we wish to get the specific event based event logs, we will need to use the Get-Eventlog cmdlet. However, we will have to collect the logs based on the InstanceID contained in the event logs.
The exact command for determining the event logs from the system logs for particular event id is shared below. For ease of reference, we are looking at filtering the system log from the events log. We will also be using the cmdlet below to find the event logs for event id 566.
Event id 566 is generated by the Windows Kernel Power module. The event is of the type of an ‘INFORMATION’.
Before giving the command below, it may be pertinent to mention that you would be better off using the administrative privileges to execute this command. So, please run Powershell with administrative privileges.
Get-Eventlog -Logname System -InstanceId 566
In this command, we have used the following:
- Get-Eventlog cmdlet to run the command
- Logname is used to get the system logs. To use application logs, we would have set the -Logname Application option in the command.
- InstanceID 566 corresponds to the event ID 566.
The output of this command will display all the system event logs for specific event ID 566. The advantage of reading or studying this output is that we are able to figure out the first date of occurrence of the event.
We can also find the frequency of the event from the system logs. And, we can also find out if the event happens at specific hours of the day or specific days of the week. All this is made possible due to the historical data stored in the system logs.
The output of this command is displayed below as a screenshot:
This command can return up to 1000 entries for the specific event.
A useful variation of this command can be used to study the latest logs. Let us look at an alternate Powershell command that will generate the latest 10 events from the system log for the instance id or event id 566.
Get-Eventlog -Logname System -InstanceId 566 -Newest 10
The cmdlet above will give you the latest 10 entries from the system log on a Windows computer. The result of this command is represented in the screenshot below.
The second command is practically more useful. It would help you fetch the latest 10 instances of the log for a specific event ID.
Now, the next aspect of our tutorial is to export the logs to the CSV file. We will use the command below to fetch the latest 50 entries for event type 566. Subsequently, we will export the logs to a CSV file.
Get-Eventlog -Logname System -InstanceId 566 -Newest 50 | Export-CSV D:\test_folder_1\566logs.csv
The command above will get the latest 50 entries from the system log for the event id 566. The command output is piped to the Export-CSV directive. The Export-CSV directive will generate the CSV file and store all 50 entries in the file. You could validate the CSV file to check for occurrences of the event id 566 in the system logs.
We have gotten the system logs and exported them to a CSV file 566logs.csv on the disk drive. You can replace the target file and path information as per your choice and requirement.
Summary
In this Powershell tutorial, we learned the following:
- Fetching the system logs for a specific event id or instance ID.
- Fetching the 10 latest system logs for a specific event ID or instance ID.
- We learned how to get the 50 latest system log entries and export them to a CSV file on the disk.
We hope that this Powershell tutorial is helpful for you in getting the relevant information from the events log on a Windows computer.
Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.