Managing event logs from the command line

by Mitch Tulloch [Published on 20 May 2010 / Last Updated on 9 July 2009]

You can use the Windows Events command-line utility Wevtutil to view and examine events locally from the command line.

You can use the Windows Events command-line utility Wevtutil to view and examine events locally from the command line. This can be useful if you are managing a Server Core computer from the command line. It can also be useful if you want to script the configuration of event logs or export log configurations for archival purposes. Here are some of the things you can do:

To list the names of all event logs on a system, use the el (enum-logs) with Wevtutil as follows:

wevtutil el

You can view the configuration of an event log, such as the maximum size of the log file, by using the gl (get-log) parameter. For example, to display the configuration of the Application log, do this:

wevtutil gl Application

name: Application

enabled: true

type: Admin

owningPublisher:

isolation: Application

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

logging:

logFileName: %SystemRoot%\System32\Winevt\Logs\Application.evtx

retention: false

autoBackup: false

maxSize: 20971520

publishing:

You can modify the configuration of a log file. For example, to increase the maximum size of the Application log to 100 megabytes (MB), enable retention so that the oldest events are dropped to make room for new events when the log becomes full, and automatically back up the log when it becomes full, type:

wevtutil sl Application /ms:104857600 /rt:true /ab:true

You can query an event log for a specific event or type of event by using the qe (query-events) parameter. For example, to display the most recent two events in the System log in plain text format, use the /rd switch to set the read direction to True (meaning most recent events are returned first) as follows:

wevtutil qe System /c:2 /rd:true /f:text

To display the most recent critical (level=1) or error (level=2) event in the Operational log for Task Scheduler, use the /q switch to specify an XPath query for these types of events as follows:

wevtutil qe Microsoft-Windows-TaskScheduler/Operational "/q:*[System[(Level=1 or Level=2)]]" /c:1 /rd:true /f:text

For more information on how to do all these things, see my book Windows Server 2008 Server Core Administrator's Pocket Consultant from Microsoft Press.

If you have feedback concerning this tip, please email me. And be sure to check out my website!

See Also

Featured Links