Reading Event Logs (Part 3)

by Dec 10, 2020

In the previous tip we encouraged you to deprecate the Get-EventLog cmdlet and instead start using Get-WinEvent – because the latter is more powerful, and because the former is no longer supported in PowerShell 7.

One of the advantages of Get-WinEvent over Get-EventLog is its ability to read all Windows event logs, not just the classic event logs. To find out the names of these additional event logs, try this:

Get-WinEvent -ListLog * -ErrorAction Ignore | 
    # ...that have records...
    Where-Object RecordCount -gt 0 | 
    Sort-Object -Property RecordCount -Descending

This returns a list of all event logs on your system that contain data, sorted by the number of logged events. Obviously, the “classic” logs like “System” and “Application” will lead, but there are numerous additional logs with worthwhile information, i.e. “Microsoft-Windows-Windows Firewall With Advanced Security/Firewall”. Let’s check its content:

Get-WinEvent -FilterHashtable @{
  LogName = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
  } -MaxEvents 20

Since my system is using the built-in firewall, the result returns detailed information about changes to firewall rules and other configuration history.

This information would not have been available by using the deprecated Get-EventLog.

Twitter This Tip! ReTweet this Tip!