Querying Event Logs Using Wevtutil

by Chris Sanders [Published on 18 Aug. 2011 / Last Updated on 31 Aug. 2010]

Now that Windows 7 and Windows Server 2008 have significantly more powerful logging capabilities there is a great need for tools to better extract information from these logs. One such tool is called Wevtutil.

Windows 7 and Windows Server 2008 boast significantly more powerful logging capabilities than their predecessors. As a result of this, more advanced log data extraction and correlation is possible with the right tools. One of these tools is called Wevtutil which is specifically designed for querying the Windows event log.

Using Wvetutil you can display available logs, query data from logs, correlate data between logs, or even export queried data as XML for formatting into other more readable formats such as a web based reporting display. I’ve used the utility several times myself during incident response scenarios to pull specific data from multiple logs and output it to a more readable format.

You can read more about Wevtutil at http://technet.microsoft.com/en-us/library/cc732848%28WS.10%29.aspx.  

See Also

The Author — Chris Sanders

Chris Sanders is a network security analyst for EWA Government Systems Inc. Chris is the author of the book Practical Packet Analysis as well as several technical articles. His personal website at www.chrissanders.org contains a great deal of information, articles, and guides related to network administration, network security, packet analysis, and general information technology.

Featured Links