If you want to search a Windows event log for occurrences of a particular eventid, you can use the Windows PowerShell cmdlet get-eventlog. E.g., to search the
system
event log, you would include that as a parameter after
get-eventlog. If I wanted to search that log for all instances
of the event id 5, I could use the command below:c:\>powershell
Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.
PS c:\> get-eventlog "system" | where-object {$_.EventID -eq 5}
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
798 Nov 29 20:27 Error Microsoft-Windows... 5 The des...
PS C:\>Sometimes there may be many occurences of a particular eventid in a log
file. You can limit the display to those before or after a particular date
using -before or -after as shown below for a
search of the application event log:
PS C:\> get-eventlog -LogName "application" | where-object {$_.EventID -eq 753}
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
6239 Jan 25 22:29 Information Microsoft-Windows... 753 The Blo...
2108 Dec 27 21:17 Information Microsoft-Windows... 753 The Blo...
2099 Dec 27 21:00 Information Microsoft-Windows... 753 The Blo...
1380 Nov 29 22:18 Information Microsoft-Windows... 753 The Blo...
1359 Nov 29 22:05 Information Microsoft-Windows... 753 The Blo...
1278 Nov 29 20:37 Information Microsoft-Windows... 753 The Blo...
PS C:\> get-eventlog -LogName "application" -before 2015-01-01 | where-object {$
_.EventID -eq 753}
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
2108 Dec 27 21:17 Information Microsoft-Windows... 753 The Blo...
2099 Dec 27 21:00 Information Microsoft-Windows... 753 The Blo...
1380 Nov 29 22:18 Information Microsoft-Windows... 753 The Blo...
1359 Nov 29 22:05 Information Microsoft-Windows... 753 The Blo...
1278 Nov 29 20:37 Information Microsoft-Windows... 753 The Blo...
PS C:\> get-eventlog -LogName "application" -after 2015-01-01 | where-object {$_
.EventID -eq 753}
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
6239 Jan 25 22:29 Information Microsoft-Windows... 753 The Blo...
PS C:\>If you only want to see error events in a log, e.g. errors in the application log, you could use a command such as the one shown below:
PS C:\> get-eventlog -LogName "application" -entrytype error
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
6599 Jan 31 20:19 Error Microsoft-Windows... 2005 There w...
6596 Jan 31 20:19 Error Microsoft-Windows... 2005 There w...
6455 Jan 28 22:38 Error Microsoft-Windows... 2006 There w...
6427 Jan 28 02:13 Error Microsoft-Windows... 513 Cryptog...
6383 Jan 27 21:55 Error VSS 8194 Volume ...
6340 Jan 26 19:31 Error VSS 8194 Volume ...
6240 Jan 25 22:29 Error Microsoft-Windows... 513 Cryptog...
You can get help on using the get-eventlog cmdlet by typing
help get-eventlog at a PowerShell prompt.
PS C:\> help get-eventlog
NAME
Get-EventLog
SYNTAX
Get-EventLog [-LogName] <string> [[-InstanceId] <long[]>] [-ComputerName
<string[]>] [-Newest <int>] [-After <datetime>] [-Before <datetime>]
[-UserName <string[]>] [-Index <int[]>] [-EntryType <string[]> {Error |
Information | FailureAudit | SuccessAudit | Warning}] [-Source <string[]>]
[-Message <string>] [-AsBaseObject] [<CommonParameters>]
Get-EventLog [-ComputerName <string[]>] [-List] [-AsString]
[<CommonParameters>]
ALIASES
None
REMARKS
Get-Help cannot find the Help files for this cmdlet on this computer. It
is displaying only partial help.
-- To download and install Help files for the module that includes
this cmdlet, use Update-Help.
-- To view the Help topic for this cmdlet online, type: "Get-Help
Get-EventLog -Online" or
go to http://go.microsoft.com/fwlink/?LinkID=113314.
PS C:\>
