NEW Oneliner to Tail the Windows Eventlog


Other posts in this Mission Impossible Code series:


Since switching focus to the cloud I am doing more and more pure CLI admin of Windows. One of the pains of windows admin from a console is accessing the windows eventlog. Since they are not simple text files like Linux, special PowerShell CMDLets must be used to retrieve them.

Due to the frequency of needing to do it, one of the biggest challenges is tailing an eventlog while waiting for results.

When following a text log, I simply use Get-Content logfilename -wait to emulate the Linux command tail -f logfilename

So I went in search of what I thought would be a quick find, but all my finds were all way to long and involved - so I made a new oneliner that follows the principles of Mission Impossible Coding.

Managing Windows using only the PowerShell Console affects a growing list of Windows deployment scenarios: * Server Core - no GUI available. * Windows Containers - no GUI available. * Using a Cloud Shell like AWS SSM Session Manager, Azure Cloud Shell or Google Cloud Shell. * PowerShell Remoting. * VS Code Remote Development.

In all of these situations, tailing various Windows Eventlogs is an essential capability for development debugging and operations troubleshooting.

Most of the existing approaches use message indexes - which have to be retrieved by calling an API - and then tracks the last retrieved index. This means no oneliners - lots of multiline functions and full blown CMDLets.

I realized that for my purposes really old log lines were not of interest - even if they were the last 5 to be received - it was more about the most recent ones within a timeframe I was interested in.

So I noodled whether I could use time, rather than the message index of the specific log.

It turns out that you can use time - and rather than looking back a specific number of index entries when first loading, I look back a certain number of minutes.

This vastly condense the code to the point of being reasonable oneliner.

Why do I care about a oneliner? I had been testing the termination lifecycle hook The Ultimate AWS ASG Lab Kit - and each time I perform a test it is on an ephemeral instance that just booted and I actually issue a termination command to see the code working. So any amount of fussing installing modules or using vast tracts of code for simple functions is painful.

I’m going to assume that many of you working on CLI only Windows (whether through a remote or cloud shell or whether using containers) can also appreciate the power of a oneliner in these situations.

The code is below, but a quick walk through is:

  1. Define it as a function since it is few extra characters and I can use it again (though I have provided a listing without the function below).
  2. By default, look 5 minutes into the past (set $lastdate).
  3. Setup a loop that goes until it gets a CTRL-C
  4. Set $newtime (can’t dynamically use Get-Time or we risk losing events during the loop)
  5. List the events between the times.
  6. Set $lasttime=$newtime
  7. Loop again.

Enjoy!

The below command emulate this command on Linux:

tail -f /var/log/messages

PowerShell Oneliner with Function (Can set which log and how many minutes to look back in initial output and computername):

Function Tail ($logspec="Application",$pastmins=5,$computer=$env:computername) {$lastdate=$(Get-date).addminutes(-$pastmins);while ($True) {$newdate=get-date;get-winevent $logspec -ComputerName $computer -ea 0 | ? {$_.TimeCreated -ge $lastdate -AND $_.TimeCreated -le $newdate} | Sort-Object TimeCreated;$lastdate=$newdate;start-sleep -milliseconds 330}}; Tail

Smaller PowerShell Oneliner hard coded for 1) the Application log, 2) 5 minute lookback and 3) local computer only. (at 243 characters, it is 116 characters (30%) shorter than the 360 character oneliner above):

$lastdate=$(Get-date).addminutes(-5);while ($True) {$newdate=get-date;get-winevent Application -ea 0 | ? {$_.TimeCreated -ge $lastdate -AND $_.TimeCreated -le $newdate}| Sort-Object TimeCreated;$lastdate=$newdate;start-sleep -milliseconds 330}

P.S. This post has been included in the Mission Impossible Code series because:

  • The solution is very concise.
  • The use of dates versus eventlog index seems to be a new approach (that enabled much shorter code than using index).
  • It is pragmatic and efficient to the need at hand.
  • As a oneliner it is easy to bring to ephemeral test machines.
  • It has enough features to be used as a complete solution for log tailing.
  • It supports remote computers.
Share Comments
comments powered by Disqus