Managing event logs from the command line

By /

You can use the Windows Events command-line utility Wevtutil to view and examine events locally from the command line. This can be useful if you are managing a Server Core computer from the command line. It can also be useful if you want to script the configuration of event logs or export log configurations for archival purposes. Here are some of the things you can do:

To list the names of all event logs on a system, use the el (enum-logs) with Wevtutil as follows:

wevtutil el

You can view the configuration of an event log, such as the maximum size of the log file, by using the gl (get-log) parameter. For example, to display the configuration of the Application log, do this:

wevtutil gl Application

name: Application

enabled: true

type: Admin

owningPublisher:

isolation: Application

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

logging:

logFileName: %SystemRoot%\System32\Winevt\Logs\Application.evtx

retention: false

autoBackup: false

maxSize: 20971520

publishing:

You can modify the configuration of a log file. For example, to increase the maximum size of the Application log to 100 megabytes (MB), enable retention so that the oldest events are dropped to make room for new events when the log becomes full, and automatically back up the log when it becomes full, type:

wevtutil sl Application /ms:104857600 /rt:true /ab:true

You can query an event log for a specific event or type of event by using the qe (query-events) parameter. For example, to display the most recent two events in the System log in plain text format, use the /rd switch to set the read direction to True (meaning most recent events are returned first) as follows:

wevtutil qe System /c:2 /rd:true /f:text

To display the most recent critical (level=1) or error (level=2) event in the Operational log for Task Scheduler, use the /q switch to specify an XPath query for these types of events as follows:

wevtutil qe Microsoft-Windows-TaskScheduler/Operational "/q:*[System[(Level=1 or Level=2)]]" /c:1 /rd:true /f:text

For more information on how to do all these things, see my book Windows Server 2008 Server Core Administrator's Pocket Consultant from Microsoft Press.

If you have feedback concerning this tip, please email me. And be sure to check out my website!

About The Author

Mitch Tulloch is Senior Editor of both WServerNews and FitITproNews and is a widely recognized expert on Windows Server and cloud technologies. He has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press and other publishers. Mitch has also been a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management. He currently runs an IT content development business in Winnipeg, Canada.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top