Raleigh Finance

Jun 7 2018

Windows 8 System Log

Most of the operating systems’ problems are recorded in the System log. Sometimes it’s more convenient to use the Event Viewer, while at other times PowerShell is quicker.

Windows 8 System Log Topics

Getting Started – Finding the Windows 8 System Log

I am going to show you two methods to research the System log entries, they work really well in tandem. By that I mean the Event View will teach you about PowerShell.

Launch the Windows 8 Event Viewer
To get started with the Event Viewer press Winkey +w, this launches the Search box with the focus on Settings. Now type: ev you should see ‘View event logs’.

Once the Event Viewer has initialized if you expand ‘Windows logs’ you can see ‘System’.

PowerShell Equivalent: List the Last 20 System Events with PowerShell

Starting from the Metro UI, start typing: ‘Pow’. You should see two PowerShell Apps, I prefer to select the ISE version because it has a GUI. There are two cmdlets for displaying the logs; Get-EventViewer and Get-WinEvent, in either case remember to specify the -LogName.

# PowerShell Windows 8 System Event Logs
Get-WinEvent -LogName System -MaxEvents 20

Note 1: The parameter -MaxEvents 20 is merely to speed up the command because the system log can be huge, and when testing you may be anxious just to get results.

Alternatively, you can use Get-Eventlog cmdlet with its -Newest parameter. This is an old-fashioned, but easier to use cmdlet.

Get-Eventlog -LogName System -Newest 20

Help Further PowerShell Research

#Pure Research – Precede the cmdlet with Help
Help Get-WinEvent

Research Properties with Get-Member (GM)

#Pure Research – Append Get-Member
Get-Eventlog System -Newest 20 | Get-Member

Guy Recommends: SolarWinds’ Log Event Management Tool

LEM will alert you to problems such as when a key application on a particular server is unavailable. It can also detect when services have stopped, or if there is a network latency problem. Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.

Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA. LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.

Filtering Events within the Event Viewer GUI

Orientation: You are in the Event Viewer, you pre-select the System log. Now, go to the Actions pane to the right and click on ‘Filter Current Log’.

Here is where you put on your thinking hat, and experiment with each setting: my choices were:
Event sources Microsoft Windows System settings
Task category Logon, Logoff.

Typical Microsoft, there are at least 3 ways of employing PowerShell to filter the logs. My favourite, especially for learning is to pipe the output of Get-Eventlog into a where statement.

#Pure Research – PowerShell Where-Object Filtering
Get-Eventlog System -Newest 200 | Where-Object <$_.EventID -eq '50036'>

Note 2: It may be clearer if you bolt on a Format-Table command. This enables you to choose the output columns, for example: | Format-Table EventID, Message -auto

Note 3: Windows Event ID 50036 means the DHCP Client service started (and 50037 means it stopped).

Note 4: The conditional operator -match may be better than -eq. Especially for messages, e.g. Where <$_.Message -match 'DHCP'>

-FilterHashTable with Get-WinEvent

Researching a PowerShell cmdlet with Help is surprisingly instructive, in this instance it shows that Get-WinEvent has a parameter called -FilterHashTable parameter. However Help also reveals that Get-Eventlog does not.

Guy Recommends: WMI Monitor and It’s Free!

Windows Management Instrumentation (WMI) is one of the hidden treasures of Microsoft’s operating systems. Fortunately, SolarWinds have created a Free WMI Monitor so that you can discover these gems of performance information, and thus improve your scripts.

Take the guess work out of which WMI counters to use when scripting the operating system, Active Directory or Exchange Server. Give this WMI monitor a try – it’s free.

Summary of Windows 8 System Event Logs

This page explains how to research the System log entries with both the Windows 8 Event Viewer and PowerShell v 3.0 Our examples showed how to filter events with the Action pane, and also how to use PowerShell’s -FilterHashtable parameter.

Written by admin

Leave a Reply

Your email address will not be published. Required fields are marked *