Back to Resources

Level Verified

Windows Event Log Monitor Script

Created by

Level

Type

Script

Category

General

Platforms
WindowsApple iOSLinux
Import into Level
Copy link

Problem Overview

Monitoring Windows event logs can be daunting, especially when you need to isolate specific error or warning occurrences. Missed events can quickly escalate into unresolved issues, leading to service disruptions, user complaints, or system crashes. This script pinpoints crucial log entries automatically, helping IT professionals identify and respond to problems before they spread.

Description

This script filters the specified Windows event log—whether Application, Security, or System—for event IDs, severity levels, and provider names you define. It also allows you to focus only on events within a designated timeframe, ensuring timely and relevant alerts. If matching entries are found, the script triggers an alert exit code (1), facilitating an automated response or investigation through Level’s integrated monitoring and alerting features.

Script

1<#
2This resource is provided as a convenience for Level users. We cannot 
3guarantee it will work in all environments. Please test before deploying 
4to your production environment. We welcome contributions to our community 
5library
6
7Level Library
8https://level.io/library/script-windows-event-log-monitor
9#>
10
11
12#Chose which event log to monitor: application, security, or system
13$LogName = "application"
14
15#Chose which event ID to monitor.
16$ID = 1000
17
18#Chose the severity level of the event. (Critical 1, Error 2, Warning 3, 
19#Informational 4) Can be comma seperated list (don't use quotes)
20$EventSeverity = 2
21
22#Chose the provider name (source) of the event.
23$ProviderName = "Application Error"
24
25#Chose the timeframe (in minutes) in which to search.  Search the logs filtered 
26#to the past X minutes.  This should be synced up with the monitor run 
27#frequency.  If the frequency will be set to checking every 5 minutes, then the
28#timeframe shouldn't exceed that.
29$Timeframe = 5
30
31
32$TimeSpan = (Get-Date) - (New-TimeSpan -Minutes $Timeframe)
33$ErrorActionPreference = 'silentlycontinue'
34
35#Pull the events and filter them
36$EventTracker = Get-WinEvent -FilterHashtable @{
37    LogName      = $LogName
38    ID           = $ID
39    Level        = $EventSeverity
40    ProviderName = $ProviderName
41    StartTime    = $TimeSpan
42} -MaxEvents 10
43
44#Display the events
45$EventTracker
46
47#If there are events that match, trigger the ALERT
48if ($EventTracker) {
49    Write-Output "ALERT"
50    exit 1
51}
52else {
53    Write-Output "Events not found.  Check your filter variables if you are expecting a match."
54    exit 0
55}

Use Cases

  • Pinpointing recurrent crash events from a specific application
  • Tracking security or system warnings within critical timeframes
  • Identifying serious application errors before they impact end users
  • Triggering alert-driven automations for immediate incident response

Recommendations

  • Configure a script-based monitor in Level to run at intervals matching your timeframe setting
  • For recurring checks, create an automation in Level with a scheduled trigger that runs this script to regularly scan event logs
  • Test in a non-production environment to confirm correct event filtering and avoid false positives
  • Update the script variables (LogName, ID, EventSeverity, ProviderName, Timeframe) to suit your specific monitoring needs
  • Keep an eye on performance by limiting the timeframe and maximum events to reduce overhead on busy systems

FAQ

  • Can I monitor multiple event IDs at once?
    Not in the current script version. You can adapt it to search multiple IDs or run separate instances for each ID.
  • Does this script attempt any remediation actions?
    No, it only scans the event logs and exits with an alert if matching events are detected. Use separate scripts or automations for repairs.
  • Can I modify the event provider name to match third-party apps?
    Absolutely. Change the $ProviderName variable to filter any desired source.
  • Will this script work on older Windows OS versions?
    It depends on the availability of Get-WinEvent. It’s supported on most modern Windows environments, but test for compatibility.
  • Can I increase the timeframe to a longer window?
    Yes, but ensure it aligns with the frequency of your monitor or scheduled task in Level to avoid overlapping or missing events.

Included with this Script:

Below is a list of what you can expect to find when importing this Script.

Script details:

The following data and settings will be imported with your script.

Script Name

Windows Monitor - Event Log

Description

This PowerShell script monitors Windows application logs for specific error events (ID 1000) from "Application Error" within the last 5 minutes. It outputs "ALERT" if matching events are found, or a notification if no events match the specified criteria.

Language

PowerShell

Timeout (In Seconds)

100

Run As

Local system

Import into Level

Related resources

Explore more automations, scripts, and policies to further enhance your IT operations.

View all resources

Start automating thousands of your devices with Level

Start your 14-day free trial today.

Book a demoGet started for free

© 2025 Level Software, Inc.