Log Management on Microsoft Windows
Introduction
Microsoft Windows provides the Event Log facility for structured logging, and the Event Viewer companion program to view the logs. I have written a few tools to help work with these, and some tips besides.
Log Rotation
Whenever you're dealing with log management, you often end up wanting to do log rotation — where the existing logs are archived somewhere out-of-the-way, and the active logs are cleared. I provide scriptsto handle that, for both Event Viewer logs, and ordinary text file logs.
Rotate Windows Event Logs with PowerShell or CMD Batch
Finding Events Around A Given Time
In systems engineering, one will sometimes get a report or indication that some problem occurred at a specific time. One would then like to know what else was happening around that time. I wrote a script to achieve that. You give it a time and/or date, and it returns Event records temporally proximate to that point in time.
Get-WinEventAround: Finding Windows Log Events Around A Given Time
Log View Import
If you have developed a lot of Custom Views for Event Viewer, you may want to import them into another computer. If you only have one that's easy. If you have a bunch the process can be a bit painful. Here's a script to automate it.
Download: log_view_import.CMD
Missing Event Descriptions
To fix errors like The description for Event ID (42) in Source (foo) could not be found, you may need to manually register the message catalog.
Manually Registering a Log Source for Windows Event Viewer
Finding Non-Empty Logs with PowerShell
To get a collection of Event Log objects that are not empty (i.e., have log messages in them):
Get-WinEvent -Force -ListLog * | where RecordCount -gt 0
Or, on ancient versions of PowerShell without the modern where syntax:
Get-WinEvent -Force -ListLog * | where { $_.RecordCount -gt 0 }