IMPORTANT ANNOUNCEMENT FOR OUR READERS!
AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!
We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!
Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.
If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.
NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!
As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!
Our readers are simply the best! One of the benefits of having great folks that read what we post on the Ask PFE Platforms Blog are the questions we sometimes receive. One such recent question you will find below that came to us this week. If you have a question for us, don’t forget that you can contact us using the Contact tile just to the right of this article when viewed from our TechNet blog. Interesting questions sometimes have interesting answers that we can all benefit from. Whether you have a question about WinSXS, sizing a page file, or restoring an Active Directory object — if you can’t find the answer and it is about Windows Server – it might be a good opportunity for us to post something about it.
How can I determine the oldest entry of a Windows event log using Wevtutil.exe?
This was a great question. I was surprised that this question didn’t also ask how to find the same info with PowerShell. Wevtutil.exe does offer many different syntax options to query event log information. While I’ve known how to gather the most recent event log entries (which is really handy during a server core installation), I never stopped to think about how to get the oldest entry. While Wevtutil.exe is the command-line companion to the Windows Event viewer, you can’t quite do every single thing with it that you can do from the GUI-based tool. However, you can retrieve the last event log entry for a given event log leveraging a couple of switches. Below are examples with PowerShell equivalents. I’ve also included a few extra that may serve as good reference.
Finding the oldest entry within a specific event log
wevtutil qe Security /rd:false /c:1 /f:text
The key to the above syntax is the /rd switch that determines the direction for which events are returned. True is the default which returns most recent first. By specifying false, it reverses the order and we only care about the first item returned (/c:1). If you want the last 10 events, simply change the command line to use /c:10. The result comes back very quickly.
get-eventlog security | select-object -last 1 | fl
The command-line above queries the Security event log and returns the oldest object. Depending on how large the security event log is will be proportional to the length of time it takes for this cmdlet sequence to complete. Thus…give it some time to run. I chose to add fl (format-list) so that the entire date stamp would appear in the output rather than just the month and day. Get-Eventlog does have a parameter “–newest “ but does not have an equivalent for oldest. It is possible there could be a more efficient pure PowerShell way to accomplish this.
Finding the newest entry within a specific event log
Wevtutil qe Security /c:1 /f:text
Returns the most recent event log entry formatted as text. If you wanted the 5 most recent entries, use /c:5.
get-eventlog security –newest 1 | fl
This command returns the most recent event log entry from the Security event log very quickly. For the 5 most recent events, use –newest 5.
Altering formatted output of events
Wevtutil doesn’t offer as much flexibility in regard to formatting as the choices for /f are XML|TEXT|RenderedXML. I typically just have it format at text using /f:text as in the prior examples.
PowerShell is far more flexible about formatting of output. For the above examples, I chose Format-List (abbreviated fl). Format-Table (abbreviated ft) is also a good choice. Yet, with PowerShell formatting, you can easily select the specific fields you want. For instance, maybe you’re just interested in the Event ID and the timestamp…in case you’re looking for something specific and don’t need all the other description information:
Get-EventLog security –newest 5 | Format-Table EventId,TimeWritten –autosize
Obtaining event data from other systems
Both Wevtutil and PowerShell will allow you to retrieve event data from other systems using additional parameters that could be included with the examples above.
You can use the command-line parameter /r:computername to connect to a remote computer and obtain events. For more information, consult the following TechNet link:
The Get-EventLog cmdlet not only will allow you to connect to a remote computer, but you can also specify a list. A few examples below. As you can see, the possibilities are limited by your imagination.
Get-EventLog –computername mycomputer security –newest 1 | Format-Table EventId,TimeWritten,MachineName,Source,Message –autosize
Obtains the most recent security event from a single remote computer and formats as a table with named elements.
Get-EventLog -computername 2008r2-dc01,2008r2-srv01,server-01 security –newest 1 | Format-Table EventId,TimeWritten,MachineName,Source,Message –autosize
Obtains the most recent security event from a comma separated list of remote computers and formats as a table with named elements.
Get-EventLog -computername (get-content c:scriptsserverlist.txt) security –newest 1 | Format-Table EventId,TimeWritten,MachineName,Source,Message –autosize
Obtains the most recent security event from a server list contained in an external file and formats as a table.
For more information about the Get-EventLog cmdlet:
Thanks again for reading what we post, commenting, and asking questions!