Reading Event Logs (Part 2)

by Dec 8, 2020

In the previous tip we encouraged you to deprecate the Get-EventLog cmdlet and instead start using Get-WinEvent – because the latter is more powerful, and because the former is no longer supported in PowerShell 7.

Let’s practice once more how to translate a Get-EventLog statement to Get-WinEvent. Here is the old one-liner that I’d like to translate. It returns all errors and warnings from the System event log that occurred in the past 48 hours:

$twoDaysAgo = (Get-Date).AddDays(-2)
Get-EventLog -LogName System -EntryType Error, Warning -After $twoDaysAgo 

And this would be the line using Get-WinEvent that works in all PowerShell versions:

$twoDaysAgo = (Get-Date).AddDays(-2)
Get-WinEvent -FilterHashtable @{
  LogName = 'System'
  Level = 2,3
  StartTime = $twoDaysAgo

It returns the same events, yet it is much faster. Here are the remaining keys that you can use in the hash table:

 Key name  Data Type  Wildcards Allowed
 LogName  <String[]>  Yes
 ProviderName  <String[]>  Yes
 Path  <String[]>  No
 Keywords  <Long[]>  No
 ID  <Int32[]>  No
 Level  <Int32[]>  No
 StartTime  <DateTime>  No
 EndTime  <DataTime>  No
 UserID  <SID>  No
 Data  <String[]>  No

Twitter This Tip! ReTweet this Tip!