More on Event Logs at the command line

This time around I’m going to spend some more time on working with Event Logs from the command line. I’ll cover some how to perform some common tasks using wevtutil.exe.

Enumerate Event Logs

Wevtutil el – This command will list out a lot of logs but the main logs you’ll want to look at are Application, System, and Security. In addition, the Setup log is helpful if you are having problems installing roles, features, or patches.

When viewing a log it’s a good idea to redirect the output to a text or xml file to make it easier to read.

Common switches that come in handy

/c:5 – Count. Specifies how many records you want returned, in this example 5

/rd – Reverse Direction. By default the oldest events are displayed first, so if you used the /c switch to dump 5 events you would get the first 5 in the log, probably not the events you’re most interested in. To see the 5 most recent events you would specify /c:5 /rd:True

/f: - Format. By default the output is raw xml and when dumped out to the screen it isn’t the most readable output. Use /f:text to see the events in plain text.

/e – Element. If you’re dumping your log in XML, you must use this switch and specify a root element to get well formed XML.

So if you wanted to see the most recent event in the system log in text format, you would run:

Wevtutil qe /f:text /c:1 /rd:true system

The output would be along the lines of:

Event[0]:

  Log Name: System

  Source: Application Management Group Policy

  Date: 2006-09-22T07:33:22.000

  Event ID: 308

  Task: N/A

  Level: Information

  Opcode: Info

  Keyword: Classic

  User: S-1-5-21-2127521184-1604012920-1887927527-2929922

  User Name: sctest

  Computer: sctest1

  Description:

Changes to software installation settings were applied successfully.

To show this event in xml and dump it to a network share, run:

Wevtutil qe /c:1 /rd:true /e:root system > \\computer\share\system.xml

See you again in a couple of weeks or so,

Andrew