Log Management on Microsoft Windows

Introduction

Microsoft Windows provides the Event Log facility for structured logging, and the Event Viewer companion program to view the logs. I have written a few tools to help work with these, and some tips besides.

Log Rotation

Whenever you're dealing with log management, you often end up wanting to do log rotation — where the existing logs are archived somewhere out-of-the-way, and the active logs are cleared. I provide scriptsto handle that, for both Event Viewer logs, and ordinary text file logs.

Rotate Windows Event Logs with PowerShell or CMD Batch

Finding Events Around A Given Time

In systems engineering, one will sometimes get a report or indication that some problem occurred at a specific time. One would then like to know what else was happening around that time. I wrote a script to achieve that. You give it a time and/or date, and it returns Event records temporally proximate to that point in time.

Get-WinEventAround: Finding Windows Log Events Around A Given Time

Log View Import

If you have developed a lot of Custom Views for Event Viewer, you may want to import them into another computer. If you only have one that's easy. If you have a bunch the process can be a bit painful. Here's a script to automate it.

Download: log_view_import.CMD

Missing Event Descriptions

To fix errors like The description for Event ID (42) in Source (foo) could not be found, you may need to manually register the message catalog.

Manually Registering a Log Source for Windows Event Viewer

Finding Non-Empty Logs with PowerShell

To get a collection of Event Log objects that are not empty (i.e., have log messages in them):

Get-WinEvent -Force -ListLog *  | where RecordCount -gt 0

Or, on ancient versions of PowerShell without the modern where syntax:

Get-WinEvent -Force -ListLog *  | where { $_.RecordCount -gt 0 }