Let’s say one of the production servers got rebooted unexpectedly and you would like to find out who rebooted it and when the server got rebooted. In PowerShell, you can take a look at the event log using the PowerShell one-liner command shown below. You don’t need to write a bunch of lines in a script and then run the script. Here is how you do it.
Get-EventLog –Log System –Newest 100 | Where-Object {$_.EventID –eq '1074'} | FT MachineName, UserName, TimeGenerated -AutoSize
The above command checks the System event log and searches for Event ID 1074 and then prints the machine name, username, and time the event got generated. If you would like to save the output to a CSV file, simply use Export-CSV cmdlet as shown in the command below:
Get-EventLog –Log System –Newest 100 | Where-Object {$_.EventID –eq '1074'} | FT MachineName, UserName, TimeGenerated –AutoSize | Export-CSV C:\Temp\AllEvents.CSV -NoTypeInfo