Eventlogs at the command line
This time around I’m going to spend some more time on working with Event Logs from the command line. I’ll cover some how to perform some common tasks using wevtutil.exe.
Enumerate Event Logs
Wevtutil el – This command will list out a lot of logs but the main logs you’ll want to look at are Application, System, and Security. In addition, the Setup log is helpful if you are having problems installing roles, features, or patches.
When viewing a log it’s a good idea to redirect the output to a text or xml file to make it easier to read.
Common switches that come in handy
/c:5 – Count. Specifies how many records you want returned, in this example 5
/rd – Reverse Direction. By default the oldest events are displayed first, so if you used the /c switch to dump 5 events you would get the first 5 in the log, probably not the events you’re most interested in. To see the 5 most recent events you would specify /c:5 /rd:True
/f: - Format. By default the output is raw xml and when dumped out to the screen it isn’t the most readable output. Use /f:text to see the events in plain text.
/e – Element. If you’re dumping your log in XML, you must use this switch and specify a root element to get well formed XML.
So if you wanted to see the most recent event in the system log in text format, you would run:
Wevtutil qe /f:text /c:1 /rd:true system
The output would be along the lines of:
Event[0]:
Log Name: System
Source: Application Management Group Policy
Date: 2006-09-22T07:33:22.000
Event ID: 308
Task: N/A
Level: Information
Opcode: Info
Keyword: Classic
User: S-1-5-21-2127521184-1604012920-1887927527-2929922
User Name: sctest
Computer: sctest1
Description:
Changes to software installation settings were applied successfully.
To show this event in xml and dump it to a network share, run:
Wevtutil qe /c:1 /rd:true /e:root system > \\computer\share\system.xml
See you again in a couple of weeks or so,
Enumerate Event Logs
Wevtutil el – This command will list out a lot of logs but the main logs you’ll want to look at are Application, System, and Security. In addition, the Setup log is helpful if you are having problems installing roles, features, or patches.
When viewing a log it’s a good idea to redirect the output to a text or xml file to make it easier to read.
Common switches that come in handy
/c:5 – Count. Specifies how many records you want returned, in this example 5
/rd – Reverse Direction. By default the oldest events are displayed first, so if you used the /c switch to dump 5 events you would get the first 5 in the log, probably not the events you’re most interested in. To see the 5 most recent events you would specify /c:5 /rd:True
/f: - Format. By default the output is raw xml and when dumped out to the screen it isn’t the most readable output. Use /f:text to see the events in plain text.
/e – Element. If you’re dumping your log in XML, you must use this switch and specify a root element to get well formed XML.
So if you wanted to see the most recent event in the system log in text format, you would run:
Wevtutil qe /f:text /c:1 /rd:true system
The output would be along the lines of:
Event[0]:
Log Name: System
Source: Application Management Group Policy
Date: 2006-09-22T07:33:22.000
Event ID: 308
Task: N/A
Level: Information
Opcode: Info
Keyword: Classic
User: S-1-5-21-2127521184-1604012920-1887927527-2929922
User Name: sctest
Computer: sctest1
Description:
Changes to software installation settings were applied successfully.
To show this event in xml and dump it to a network share, run:
Wevtutil qe /c:1 /rd:true /e:root system > \\computer\share\system.xml
See you again in a couple of weeks or so,
Comments