Some apps or services in Windows don’t use binary Event Viewer logs (*.evtx) to store their logs, but instead save them as plain text log files. When troubleshooting certain issues, it can be useful to view the contents of the log file on screen in real time with automatic updates as new lines are appended to the log. In Linux, the tail command is typically used to display the contents of a log file on the screen and update it in real-time. For live (real-time) log monitoring in Windows, you can use the PowerShell cmdlet Get-Content as an analogue of the tail command.
The following command outputs log file contents to the console, displaying new lines in real time as they are appended to the log:
Get-Content -Path "C:\LogFolder\appact.log" -Wait
CTRL+C to stop the live log output in the PowerShell console.A drawback of the previous command is that it first displays the entire log file before showing new lines as they are appended. It is more convenient to only display several of the latest log entries on the screen. For example, to show only the last 10 lines of a log file and wait for new lines to appear, add the -Tail 10 argument.
Get-Content -Path "C:\LogFolder\appact.log" -Wait -Tail 10
PowerShell enables real-time filtering of log files to display only the lines that match specific criteria. For example, I want to display only the firewall log entries containing a specific IP address:
$IP = "123.12.2.22"
Get-Content "C:\windows\system32\LogFiles\Firewall\pfirewall.log" -Tail 40 -Wait | ? { $_ -match $IP }
PowerShell can also be used to colorize the output of the log file contents to make them easier to read. For example, I would like lines containing the keyword Success to be highlighted in green and lines containing errors to be highlighted in red.
Get-Content C:\Windows\System32\LogFiles\setupcln\setupact.log -Wait -Tail 50 | ForEach-Object {
switch -Regex ($_ ) {
"ERROR" { Write-Host $_ -F White -B Red }
"Success" { Write-Host $_ -F Green }
default { Write-Host $_ }
}
}
The log file output on the screen is now much more readable.
Thus, PowerShell provides a simple and convenient tool for real-time monitoring of log file changes. Of course, PowerShell doesn’t handle very large log files (several GB) particularly well. However, with the -Tail parameter, it only reads the end of the file rather than the entire log. So, this real-time log file monitoring method does not result in high memory usage.