You can use the Windows Events command-line utility Wevtutil to view and examine events locally from the command line. This can be useful if you are managing a Server Core computer from the command line. It can also be useful if you want to script the configuration of event logs or export log configurations for archival purposes. Here are some of the things you can do:
To list the names of all event logs on a system, use the el (enum-logs) with Wevtutil as follows:
wevtutil el
You can view the configuration of an event log, such as the maximum size of the log file, by using the gl (get-log) parameter. For example, to display the configuration of the Application log, do this:
wevtutil gl Application
name: Application
enabled: true
type: Admin
owningPublisher:
isolation: Application
channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
logging:
logFileName: %SystemRoot%\System32\Winevt\Logs\Application.evtx
retention: false
autoBackup: false
maxSize: 20971520
publishing:
You can modify the configuration of a log file. For example, to increase the maximum size of the Application log to 100 megabytes (MB), enable retention so that the oldest events are dropped to make room for new events when the log becomes full, and automatically back up the log when it becomes full, type:
wevtutil sl Application /ms:104857600 /rt:true /ab:true
You can query an event log for a specific event or type of event by using the qe (query-events) parameter. For example, to display the most recent two events in the System log in plain text format, use the /rd switch to set the read direction to True (meaning most recent events are returned first) as follows:
wevtutil qe System /c:2 /rd:true /f:text
To display the most recent critical (level=1) or error (level=2) event in the Operational log for Task Scheduler, use the /q switch to specify an XPath query for these types of events as follows:
wevtutil qe Microsoft-Windows-TaskScheduler/Operational "/q:*[System[(Level=1 or Level=2)]]" /c:1 /rd:true /f:text
For more information on how to do all these things, see my book Windows Server 2008 Server Core Administrator's Pocket Consultant from Microsoft Press.
If you have feedback concerning this tip, please email me. And be sure to check out my website!