Powershell - Tail Windows Event Log? Is it possible?

Asked 7/3, 2013 at 2:52 Answered 30/9, 2020 at 17:27

Solved windows powershell event-log tail

How can i use powershell to tail a specific windows event log? Is it possible?

Tammeratammi answered 7/3, 2013 at 2:52 Comment(1)

Tail? As ion monitor for? Or get the tail of a specific event? – Eindhoven 7/3, 2013 at 2:57

I've done this on occasion:

$idx = (get-eventlog -LogName System -Newest 1).Index

while ($true)
{
  start-sleep -Seconds 1
  $idx2  = (Get-EventLog -LogName System -newest 1).index
  get-eventlog -logname system -newest ($idx2 - $idx) |  sort index
  $idx = $idx2
  }

Emphasis answered 7/3, 2013 at 3:8 Comment(1)

Sorry, first script I posted wasn't right. You can test that by starting it, and then restarting the w32time service a few times to see the result. – Emphasis 7/3, 2013 at 3:24

Per MSDN docs:

Get-WinEvent is designed to replace the Get-EventLog cmdlet on computers running Windows Vista and later versions of Windows. Get-EventLog gets events only in classic event logs. Get-EventLog is retained in Windows PowerShell for backward compatibility.

And spurred on by my own need to tail a non-classic event log (would that be an event log nouveau perchance?) here is the wonderfully concise code of @mjolinor repurposed to use Get-WinEvent:

Set-PSDebug -Strict
function Get-WinEventTail($LogName, $ShowExisting=10) {
    if ($ShowExisting -gt 0) {
        $data = Get-WinEvent -provider $LogName -max $ShowExisting
        $data | sort RecordId
        $idx = $data[0].RecordId
    }
    else {
        $idx = (Get-WinEvent -provider $LogName -max 1).RecordId
    }

    while ($true)
    {
        start-sleep -Seconds 1
        $idx2  = (Get-WinEvent -provider $LogName -max 1).RecordId
        if ($idx2 -gt $idx) {
            Get-WinEvent -provider $LogName -max ($idx2 - $idx) | sort RecordId
        }
        $idx = $idx2

        # Any key to terminate; does NOT work in PowerShell ISE!
        if ($Host.UI.RawUI.KeyAvailable) { return; }
    }
}

I added in a few bells and whistles for convenience:

By default it shows the last 10 lines of the log initially, then concatenates new entries as they occur--you can adjust that to any number via the ShowExisting parameter.
It sorts records with oldest first (contrary to Get-WinEvent's default) due to the natural order that tail requires.
You can press any key to terminate (but not in PowerShellISE).

Twain answered 3/5, 2013 at 17:11 Comment(0)

First, thank you Michael!

Slight refinement for my use case that includes showing the entire multi-line message value.

    function Get-WinEventTail($Provider="JobRequestQueueConsumerBackgroundService", $ShowExisting=10) {
    $formatProperty = @{ expression={$_.TimeCreated}; label="TimeCreated"}, 
                      @{ expression={$_.Message}; label="Message"; width=100}
    if ($ShowExisting -gt 0) {
        $data = Get-WinEvent -ProviderName $Provider -max $ShowExisting
        if ($data) { 
            $data | sort RecordId | Format-Table -Property $formatProperty -Wrap
            $idx = $data[0].RecordId
        }
    }
    else {
        $idx = (Get-WinEvent -ProviderName $Provider -max 1).RecordId
    }

    while ($true)
    {
        start-sleep -Seconds 1
        $idx2  = (Get-WinEvent -ProviderName $Provider -max 1).RecordId
        if ($idx2 -gt $idx) {
            Get-WinEvent -ProviderName $Provider -max ($idx2 - $idx) | sort RecordId | Format-Table -Property $formatProperty -Wrap
        }
        $idx = $idx2

        # Any key to terminate; does NOT work in PowerShell ISE!
        if ($Host.UI.RawUI.KeyAvailable) { return; }
    }
}

Get-WinEventTail

The -Wrap option was necessary to show a multi-line message, otherwise ellipsis would truncate the message at the end of the first line. Setting the column width did NOT help.

Sandy answered 30/9, 2020 at 17:27 Comment(0)

Recommended topics

Hot tags