#基本功能
|命令 |功能 | 範例|
|---|---|---|
|Get-EventLog |取得事件日誌 |Get-EventLog -ListList |
| [-LogName] <string> |設定事件類型 |Get-EventLog System |/<string>
| [-ComputerName <string>] |設定電腦名 |Get-EventLog System -ComputerName "localhost"|/<string>
| [-Newest <int32>] |設定取得最新事件件數 |Get-EventLog System -Newest 5 |/<int32>
| [-After <datetime>] |設定取得指定日期之後的事件|Get-EventLog System -After 2020/3/1 |/<datetime>
| [-Before <datetime>] |設定取得指定日期之前的事件|Get-EventLog System -Before 2020/3/1 |/<datetime>
| [-UserName <string>] |設定取得指定用戶的事件 |Get-EventLog System -UserName NT* |/<string>
| [[-InstanceId] <int64>] |設定取得指定實例ID的事件 |Get-EventLog System -InstanceId 10016 |/<int64>
| [-Index <int32>] |設定取得指定索引的事件 |Get-EventLog System -Index 13820 |/<int32>
| [-EntryType <string>] |設定取得指定錯誤類型的事件|Get-EventLog System -EntryType Error |/<string>
| [-Source <string>] |設定取得指定事件來源的事件|Get-EventLog System -Source Outlook |/<string>
| [-Message <string>] |設定取得指定事件信息的事件|Get-EventLog System -Message *failed* |/<string>
| [-AsBaseObject] |設定取得指定基本對象的事件|Get-EventLog System -AsBaseObject |
| [<commonparameters>] |設定通用參數 |Get-EventLog System -Format List |/<commonparameters>
#範例1
取得事件日誌類型一覽
```
Get-EventLog -List
Max(K) Retain OverflowAction Entries Log
------ ------ -------------- ------- ---
15,168 0 OverwriteAsNeeded 20,792 Application
15,168 0 OverwriteAsNeeded 12,559 System
15,360 0 OverwriteAsNeeded 11,173 Windows PowerShell
```
#範例2
取得System的最新5件日誌
```
Get-EventLog -LogName System -Newest 5
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
13820 Jan 17 19:16 Error DCOM 10016 The description for Event...
13819 Jan 17 19:08 Error DCOM 10016 The description for Event...
13818 Jan 17 19:06 Information Service Control... 1073748864 The start type of the Back...
13817 Jan 17 19:05 Error DCOM 10016 The description for Event...
13815 Jan 17 19:03 Information Microsoft-Windows... 35 The time service is now sync...
```
#範例3
取得System最新日誌1000件,按照來源(Source)屬性分組統計、按照Count屬性降序排列顯示
```
$Events = Get-EventLog -LogName System -Newest 1000
$Events | Group-Object -Property Source -NoElement | Sort-Object -Property Count -Descending
Count Name
----- ----
110 DCOM
65 Service Control Manager
51 Microsoft-Windows-Kern...
14 EventLog
14 BTHUSB
13 Win32k
```
#範例4
取得System日誌中錯誤類型是Error的日誌
```
Get-EventLog -LogName System -EntryType Error
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
13296 Jan 16 13:53 Error DCOM 10016 The description for Event ID '10016' in Source...
13291 Jan 16 13:51 Error DCOM 10016 The description for Event ID '10016' in Source...
13245 Jan 16 11:45 Error DCOM 10016 The description for Event ID '10016' in Source...
13230 Jan 16 11:07 Error DCOM 10016 The description for Event ID '10016' in Source...
```
#範例5
取得System日誌中實例ID為10016,日誌源是DCOM的日誌
```
Get-EventLog -LogName System -InstanceId 10016 -Source DCOM
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
13245 Jan 16 11:45 Error DCOM 10016 The description for Event ID '10016' in Source...
13230 Jan 16 11:07 Error DCOM 10016 The description for Event ID '10016' in Source...
13219 Jan 16 10:00 Error DCOM 10016 The description for Event ID '10016' in Source...
```
#範例6
取得System日誌中來自電腦Server01、Server02、Server03的日誌
```
Get-EventLog -LogName System -ComputerName Server01, Server02, Server03
```
#範例7
取得System日誌中信息裡包含\\*description*的日誌
```
Get-EventLog -LogName System -Message *description*
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
13821 Jan 17 19:17 Error DCOM 10016 The description for Event ID '10016'...
13820 Jan 17 19:16 Error DCOM 10016 The description for Event ID '10016'...
13819 Jan 17 19:08 Error DCOM 10016 The description for Event ID '10016'...
```
#範例8
取得System日誌最新1件,顯示其全部屬性
```
$A = Get-EventLog -LogName System -Newest 1
$A | Select-Object -Property *
EventID : 10016
MachineName : localhost
Data : {}
Index : 13821
Category : (0)
CategoryNumber : 0
EntryType : Error
Message : The description for Event ID '10016' in Source 'DCOM'...
Source : DCOM
ReplacementStrings : {Local,...}
InstanceId : 10016
TimeGenerated : 1/17/2019 19:17:23
TimeWritten : 1/17/2019 19:17:23
UserName : username
Site :
Container :
```
#範例9
取得Application日誌中來源於Outlook的、滿足條件EventID=63的日誌,顯示出指定的4個屬性
```
Get-EventLog -LogName Application -Source Outlook | Where-Object {$_.EventID -eq 63} |
Select-Object -Property Source, EventID, InstanceId, Message
Source EventID InstanceId Message
------ ------- ---------- -------
Outlook 63 1073741887 The Exchange web service request succeeded.
Outlook 63 1073741887 Outlook detected a change notification.
Outlook 63 1073741887 The Exchange web service request succeeded.
```
#範例10
取得System日誌中來自用戶“NT*”的日誌,顯示出指定的2個屬性
```
Get-EventLog -LogName System -UserName NT* | Group-Object -Property UserName -NoElement |
Select-Object -Property Count, Name
Count Name
----- ----
6031 NT AUTHORITY\\SYSTEM
42 NT AUTHORITY\\LOCAL SERVICE
4 NT AUTHORITY\\NETWORK SERVICE
```
#範例11
取得System日誌中錯誤類型為Error、生成日期在指定範圍之內的日誌
```
$Begin = Get-Date -Date '1/17/2019 08:00:00'
$End = Get-Date -Date '1/17/2019 17:00:00'
Get-EventLog -LogName System -EntryType Error -After $Begin -Before $End
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
13821 Jan 17 13:40 Error DCOM 10016 The description for Event ID...
13820 Jan 17 13:11 Error DCOM 10016 The description for Event ID...
...
12372 Jan 17 10:08 Error DCOM 10016 The description for Event ID...
12371 Jan 17 09:04 Error DCOM 10016 The description for Event ID...
```
#####參考網站
[微軟在線幫助:Get-EventLog](https://docs.microsoft.com/zh-cn/powershell/module/Microsoft.PowerShell.Management/Get-EventLog?view=powershell-5.1&viewFallbackFrom=powershell-7.x)
閱讀更多 大連陳光宇 的文章
關鍵字: 命令 PowerShell 詳細