Windows – How to show event logs containing specific text from powershell

event-logpowershellwindows

I'm trying to quickly show all events from the last ~day in window's event log which contain a certain string in power shell.

I've found powershell commands for listing events, but I basically want to "GREP" them for specific text.

I need to use powershell because the target is Windows Server 2016 Hyper-V but I think it would also be quite useful to be able to quickly search recent events on any machine with powershell.

To show available logs, I run:

PS C:\Users\Administrator> Get-EventLog -List

  Max(K) Retain OverflowAction        Entries Log
  ------ ------ --------------        ------- ---
  20,480      0 OverwriteAsNeeded       1,113 Application
  20,480      0 OverwriteAsNeeded           0 HardwareEvents
     512      7 OverwriteOlder              0 Internet Explorer
  20,480      0 OverwriteAsNeeded           0 Key Management Service
     512      7 OverwriteOlder          1,539 Microsoft-ServerManagementExperience
  20,480      0 OverwriteAsNeeded      28,667 Security
  20,480      0 OverwriteAsNeeded       4,857 System
  15,360      0 OverwriteAsNeeded       3,654 Windows PowerShell

In this example, my target Log is called Application

I can print the last 24 hours of log to console with:

Get-EventLog -LogName system -after (Get-Date).AddDays(-1)

I tried filtering the output using Select-String but that never matched any lines.

Best Answer

Here's what I ended up doing. It searches the value of several event properties for the text and shows them on the console:

$search = "hyper"
Get-EventLog -LogName system -after (Get-Date).AddDays(-1) | Where-Object { $_.Category.ToLower().Contains($search.ToLower()) -or $_.Message.ToLower().Contains($search.ToLower()) -or $_.Source.ToLower().Contains($search.ToLower())} | Format-Table -AutoSize -Wrap

Example Output:

   Index Time          EntryType   Source                 InstanceID Message
   ----- ----          ---------   ------                 ---------- -------
    4751 Aug 10 09:13  Information Microsoft-Windows...           23 NIC /DEVICE/{FD82EC81-DC0D-4655-B606-0AA9AF08E6CC} (Friendly Name: Microsoft Hyper-V Network Adapter) is now operational.
    4750 Aug 10 09:13  Information Microsoft-Windows...           11 The description for Event ID '11' in Source 'Microsoft-Windows-Hyper-V-Netvsc' cannot be found.  The local computer may not have the necessary registr...
    4749 Aug 10 09:13  Information Microsoft-Windows...           24 NIC /DEVICE/{FD82EC81-DC0D-4655-B606-0AA9AF08E6CC} (Friendly Name: Microsoft Hyper-V Network Adapter) is no longer operational.

I'm new to powershell so it might not be the best way but it works. I hope it will save someone else some time.

Related Question