Home/Labs/Monitoring and Observability/Logs and Alerting
Monitoring and ObservabilityLogs and AlertingIntermediate1-2 hoursLab build

Build a Windows Event Log Collector with PowerShell and Scheduled Tasks

A practical build for a lightweight Windows event log collector using PowerShell scripts and scheduled tasks, supporting cleanly incident triage and log management.

Last reviewed4/30/2026
Windows log collectionalert routing and triage
Windows OSPowerShellScheduled Tasks

Expected Outcome

A working Windows event log collector that captures specified event logs, stores them in a CSV format for analysis, and runs automatically at defined intervals.

Assumptions

  • Basic knowledge of PowerShell scripting
  • Access to a Windows machine with administrative privileges
  • Familiarity with Windows Event Viewer and scheduled tasks

Bill of Materials

  • Windows operating system (Windows 10 or later)
  • PowerShell (version 5.1 or later)
  • Folder for log storage (e.g., C:\Logs)
  • Folder for script storage (e.g., C:\Scripts)

Build Steps

  1. Create Log Storage Directory

    Create a directory to store the collected event logs.

    Changes system state: review before running

    New-Item -Path 'C:\Logs' -ItemType Directory -Force
  2. Create PowerShell Script for Log Collection

    Write a PowerShell script that collects specific Windows event logs and saves them to a designated folder.

    Changes system state: review before running

    New-Item -Path 'C:\Scripts\CollectLogs.ps1' -ItemType File -Force
Add-Content -Path 'C:\Scripts\CollectLogs.ps1' -Value "`$logs = Get-WinEvent -LogName 'Application', 'System', 'Security' -MaxEvents 1000"
Add-Content -Path 'C:\Scripts\CollectLogs.ps1' -Value "`$logs | Export-Csv -Path 'C:\Logs\EventLogs.csv' -NoTypeInformation"
  3. Set Up Scheduled Task

    Create a scheduled task that runs the PowerShell script every hour to ensure continuous log collection.

    Changes system state: review before running

    schtasks /create /tn 'CollectEventLogs' /tr 'powershell.exe -File C:\Scripts\CollectLogs.ps1' /sc hourly /ru SYSTEM
  4. Configure Event Log Retention

    Adjust the retention settings for the event logs to manage disk space effectively.

    Example pattern only. Adjust for your environment before running.

    wevtutil sl Application /rt:true
wevtutil sl System /rt:true
wevtutil sl Security /rt:true
  5. Verify Scheduled Task and Log Collection

    Check that the scheduled task is running correctly and logs are being collected as expected.

    Safe to run: read-only

    Get-ScheduledTask -TaskName 'CollectEventLogs'
Get-Content -Path 'C:\Logs\EventLogs.csv' -Tail 10

Validation

  • Check the contents of 'C:\Logs\EventLogs.csv' to ensure logs are being collected.
  • Review the scheduled task history to confirm execution.
  • Ensure the log file is updated with new entries after each scheduled run.

Troubleshooting

  • If a step fails, capture the exact command, exit code, and log line before retrying or changing the design.
  • Check service status, local logs, port bindings, file permissions, and DNS names before rebuilding the lab.

Cleanup or Rollback

  • Keep a copy of working configuration, compose files, scripts, and service credentials before removing containers, packages, or data directories.
  • Stop only the lab services created by this guide and verify no shared data path is still mounted before cleanup.
  • Rollback by restoring the saved configuration and restarting the affected service.

Next Improvements

  • Implement alerting mechanisms based on log contents using PowerShell or third-party tools.
  • Integrate with a SIEM solution for centralized log management and analysis.
  • Regularly review and update the PowerShell script to include additional logs as needed.