Query/Get/Search the event log of all servers in a farm for a reboot or any specific event ID

Have you ever wanted to find out a list of various event ID’s and output them to a file?

Have you ever wanted to know about resource exhaustion events, Event ID 2004?

Have you wanted to know when your server was restarted? For example, Event ID 6005, the event log service started (this happens when the server starts)

The powershell to find this is a one-liner, as follows:

Get-EventLog -LogName "System" | where-object {$_.EventID -eq 6005} | select MachineName, TimeGenerated, Source, Message

If you wanted to find this out about all your SharePoint Servers in your farm, you could run these lines:

$spservers=Get-SPServer | where{$_.Role -ne “Invalid”}
foreach($spserver in $spservers)
 {
 $filename=$spserver.name
 Get-EventLog -LogName "System" | where-object {$_.EventID -eq 6005} | select MachineName, TimeGenerated, Source, Message
 }

Here’s a nice Microsoft Developer Network Article that lists out a few Event ID’s and a rough idea of what they mean: https://msdn.microsoft.com/en-us/library/windows/desktop/aa368560(v=vs.85).aspx

 

Here’s another list that is a bit more inclusive: https://technet.microsoft.com/en-us/library/dd639409.aspx But, as you can see by navigating to the Event ID page for Event ID 10016, that list is not all inclusive.

To output this to a file, you would just need to append | out-file c:\path to file\filename.txt to the one-liner

e.g.

Get-EventLog -LogName "System" | where-object {$_.EventID -eq 6005} | select MachineName, TimeGenerated, Source, Message | out-file c:\LoggingDirectory\Event6005.txt

Remember to always have fun troubleshooting and sometimes it can be an easter egg hunt.