Get-EventLog Cmdlet

This topic describes how to use the Get-EventLog cmdlet in Windows PowerShell to retrieve event logs from local and remote computers.

Syntax

Get-EventLog
    [-LogName] string[]
    [[-InstanceId] long[]]
    [-Newest] int
    [-After] datetime
    [-Before] datetime
    [-EntryType] System.Diagnostics.EventLogEntryType[]
    [-UserName] string[]
    [[-ComputerName] string[]]
    [[-Credential] pscredential]
    [common parameters]

Description

The Get-EventLog cmdlet retrieves events from one or more event logs on a local or remote computer. You can specify event logs by name, retrieve a specific number of the newest events, or filter events by ID, type, date, or user.

Parameters

-LogName: Specifies the names of the event logs to retrieve. For example, "Application", "Security", "System".
-InstanceId: Specifies the event IDs of the events to retrieve.
-Newest: Specifies the number of the newest events to retrieve from each log.
-After: Retrieves only events that occurred after the specified date and time.
-Before: Retrieves only events that occurred before the specified date and time.
-EntryType: Filters events based on their type (e.g., "Error", "Warning", "Information").
-UserName: Filters events based on the user who generated the event.
-ComputerName: Specifies the names of the computers from which to retrieve events.
-Credential: Specifies a user account that has permission to perform this action.

Examples

Example 1: Get all events from the Application log

Get-EventLog -LogName Application

Example 2: Get the 10 newest events from the System log

Get-EventLog -LogName System -Newest 10

Example 3: Get all Error events from the System log

Get-EventLog -LogName System -EntryType Error

Example 4: Get events from a remote computer

Get-EventLog -LogName Security -ComputerName Server01

Example 5: Filter events by Instance ID and date

Get-EventLog -LogName System -InstanceId 6008 -After (Get-Date).AddDays(-7)