close

Command Line Event Logs – Part 2

Overview

In my last article Command Line Event Logs I introduced the command line utility WEVTUTIL.EXE, which you can use to get event log information on your Windows 7 machine. In this article, I want to show you how to use it to manage the event logs themselves. Remember, you can always ask the utility for help.

​C:\> wevtutil /?

If some of the parameters don’t make sense to you in the following examples, take a few minutes to go back and read Command Line Event Logs – Part 1.

Listing Logs

The first task to look at is enumerating all the event logs. You might also need to know the log name for query purposes. All we need to do is use the el or enum-logs parameter. Here are the logs on the remote server CHI-FP01:

​C:\>wevtutil el /r:chi-fp01 | more
Analytic
Application
DNS Server
DirectShowFilterGraph
DirectShowPluginControl
EndpointMapper
ForwardedEvents
HardwareEvents
Internet Explorer
Key Management Service
Microsoft-IE/Diagnostic
...

I piped to MORE to send results in pages. The server is running Windows Server 2008 R2 so it has all of the new diagnostic logs. Once you’ve identified a log, you can get additional information on it using the gli or get-log-info parameter.

​C:\>wevtutil gli application /r:chi-fp01
creationTime: 2011-04-27T00:51:21.140Z
lastAccessTime: 2011-04-27T00:51:21.140Z
lastWriteTime: 2011-12-26T19:05:11.537Z
fileSize: 2166784
attributes: 32
numberOfLogRecords: 2399
oldestRecordNumber: 1

The file size is in bytes and I can see that there are almost 2,400 entries in the Application log. Here’s a little trick if you want to build a report for one or more logs. First, create a text file of all the log names you are interested in. You can do this manually, or send output to a text file.

​C:\>wevtutil el > c:\work\evtlogs.txt

​C:\>(for /f %i in (c:\work\evtlogs.txt) do @echo %i & wevtutil gli /r:chi-fp01 %i & echo.) > c:\work\chi-fp01-logs.txt

Depending on what log names are in the list and the computer you query, you might get some errors. In my case I built the text file from Windows 7, but queried Windows Server 2008 R2, so some logs don’t exist. Naturally the better step is to create platform specific lists. But I hope you get the idea.

Get Log Configuration

In addition to details about the log contents, we can use this tool to discover log properties such as whether it is enabled, its file name and size. Use the gl or Get-Log parameter.

​C:\>wevtutil gl microsoft-windows-backup /r:chi-fp01
name: microsoft-windows-backup
enabled: true
type: Operational
owningPublisher: Microsoft-Windows-Backup
isolation: System
channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;
;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
logging:
logFileName: %SystemRoot%\System32\Winevt\Logs\microsoft-windows-backup.evtx
retention: false
autoBackup: false
maxSize: 1052672
publishing:
fileMax: 1

Set Log Configuration

If I want to modify a log setting, such as maximum file size I’ll use the sl or Set-Log parameter. I’m going to change the max file size on the backup log to about 2MB.

​C:\>wevtutil sl microsoft-windows-backup /r:chi-fp01 /ms:2097152

Re-querying the log I can see my change in effect.

​C:\>wevtutil gl microsoft-windows-backup /r:chi-fp01 | find /I "maxsize"
maxSize: 2097152

To see all of the set options, look at help for this command.

​C:\>wevtutil sl /?

Export Logs

I can export an entire log to a file using the epl or export-log parameter.

​C:\>wevtutil epl microsoft-windows-backup c:\work\fp01-backup.evtx /r:chi-fp01

Be sure to get parameters in the right order. You must specify the log name first and then the target file. If you have created an XML query and saved it to a file, like I did in Part 1, you can also use that query to export selected events. Simply substitute the path to your query file in place of the log name.

​C:\>wevtutil epl s:\scmquery.txt c:\work\fp01-system-service.evtx /r:chi-fp01  /sq:true

There is one very important caveat here when you export logs on remote computers: the target path is relative to the remote computer. So in my examples, the exported logs are in C:\Work on CHI-FP01. However, you can use a UNC as part of the path. Use this export feature for log backups.

Clear Logs

The last task you may have is to clear an event log. This is easily accomplished with the cl or clear-log parameter.

​C:\>wevtutil cl microsoft-windows-backup /bu:\\chi-fp01\IT\FP01-Backuplog.evtx /r:chi-fp01

If you didn’t export events first, you can use the /bu parameter as I’m doing here and create a backup log first. As with exporting, the path is relative to the computer and you can use a UNC.

Checking the log again, I can see that I was successful.

​C:\>wevtutil gli microsoft-windows-backup /r:chi-fp01
creationTime: 2011-08-02T16:26:37.657Z
lastAccessTime: 2011-12-28T15:18:46.688Z
lastWriteTime: 2011-12-28T15:18:46.688Z
fileSize: 69632
attributes: 32
numberOfLogRecords: 0
oldestRecordNumber: 0

Conclusion

Using WEVTUTIL takes a little practice so try these commands out in a test environment first. In future articles I’ll show you how to accomplish these same tasks using Windows PowerShell.

Article saved!

Access saved content from your profile page. View Saved