So, you installed Windows Server Core without the Desktop Experience. Everything has been going fine with Server 2016 without the GUI until suddenly you start encountering an error. Now, how do read the Event Log for more troubleshooting information? Event Viewer, where are you?
If you have a Windows desktop computer nearby and remote management enabled on the server, you can connect remotely through Computer Management and read the event logs like you are used to doing. Alternatively, when it comes to Server Core, it’s up to PowerShell.
After logging into the server, you arrive at the command prompt. Enter ‘PowerShell.exe’ to change the command prompt to PowerShell.
To see the event logs available, enter this command:
get-eventlog -list
This will show you the event logs available such as Application, HardwareEvents, Internet Explorer, Security, System, and others depending on the roles and software you have installed. This command will also show you the event log policies for maximum size, retention, overwrite action, and the number of entries.
To open a particular event log, use the command:
get-eventlog [log name]
Replace [log name] with the name of the log you are interested in viewing. For example:
get-eventlog Application
This lists the entries in the table format in the default order (most recent events at the top).
Since there can be a lot of logs, you can use -after to limit the search to the last few hours entries.
get-eventlog Application -after (get-date).addhours(-1)
You can also filter the list to just show a particular type of entry such as errors or warnings.
get-eventlog System -after (get-date).addhours(-1) | where Entrytype -eq Error
This would get entries from the System log that occurred within the last hour and were logged as errors.
Now that you have browsed the logs, you might have found a particular instance that you wanted to see the full details. Use this command with the number from the index column in the logs:
get-eventlog System | where index -eq 93 | format-list *
This allows you to see all of the details of the entries without them being truncated.
Since this is PowerShell, you can use all of the tricks you are familiar with to optimize your use of the event log such as sorting, filtering, or exporting to a file. It’s a pretty simple process and should be faster than the MMC snap-in for Event Viewer.