WELCOME TO SAIGONTECH FORUM - GO TO FORUM AND SHARE YOUR THOUGHT
Thursday, 2024-03-28, 5:28 PM
Welcome Guest | RSS

.

[ New messages · Members · Forum rules · Search · RSS ]
  • Page 1 of 1
  • 1
Saigontech Forum » AAS IT House » Computer Systems Networking and Telecommunications » Event Log Management Command Line
Event Log Management Command Line
weoDate: Saturday, 2012-01-07, 7:19 PM | Message # 1
Colonel
Group: Moderators
Messages: 151
Reputation: 0
Status: Offline
Event Log Management:

First, open the Command Prompt (Start> Run> type cmd and press Enter) and find out through the utility WEVTUTIL.EXE
C: \> WEVTUTIL /?
Windows Events Command Line Utility.
Enables you to retrieve information about event logs and publishers, install
and uninstall event manifests, run queries, and export, archive, and clear logs.
Usage:
You can use either the short (for example, ep / uni) or long (for example,
enum-publishers / unicode) version of the command and option names. Commands,
options and option values ​​are not case-sensitive.
...
The default feature of this statement is direct query to the log file on the local computer, if you want to apply to the remote computer - remote control, then you add the / r. However, we can only perform this query operation on a single computer in one time only. WEVTUTIL basic syntax of the form:
C: \> WEVTUTIL QE <logname> <command parameters>
The following table lists the parameters frequently used:
Parameter Description Example
/ C: <count> Return a specified count of event log entries. If omitted, you'll get everything. / C: 5
/ Rd: <True|False> Reverse Direction. By default first Oldest entries are returned. When set to True you'll get newest entries first. / Rd: true
/ F: <Text|XML|RenderedXML> The default output format is XML. Set this to Text; Easier to read output. / F: text
/ R: <computername> Specify the name of a remote computer. / R: server01
When connecting to the remote computer, the system will use the identity information of the current account, but if you want to change it using the following syntax:
/ U: domain \ username and / p: <password>
When coupling this information with each other, say you wanted to collect information of five components in the System Event Log on the computer CHI-FP01:
C: \> WEVTUTIL QE System / c: 5 / r: chi-fp01 / u: globomantics \ administrator / p: * / f: text / rd: true

However, finding and understanding information about the components in the log file records is not simple, because the Windows Event Log requires users to have knowledge of XML. If you want specific items, then you need to use the / q - XPath request. For experienced users should use the following syntax forms:
"/ q: * [<logname> [(<xmlvalue=value>)]]"
The value of XML here is the name of the XML node, select the component to check:
C: \> WEVTUTIL QE System / c: 1
<Event Xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> <System> <Provider Name = 'Microsoft-Windows-Winlogon' SystemTime = '2010-03-31T18: 35:42.122671900 Z '/> <EventRecordID> 13218 </ EventRecordID> <Correlation ActivityID='{67144949-5132-4859-8036-A737B43825D8}'/> <Execution processID = '440' ThreadID = '456 '/> <channel> System </ Channel> <Computer> CLIENT1.jdhlab.local </ Computer> <Security UserID='S-1-5-18'/> </ System> <EventData> <Data Name = "TSID"> 1 </ Data> <Data Name='UserSid'> S-1-5-21-3957442467-353870018-3926547339-500 </ Data> </ EventData> </ Event>
Suppose we want to execute the query to EventID 7036 will command as shown below:
C: \> WEVTUTIL QE System / q: "* [System [(EventID = 7036)]]" / c: 5 / r: chi-fp01 / f: text / rd: true


In addition, another function is also frequently applied in this collection of information about the components and related information, such as Error or Warning. We can accomplish, but must rely on the corresponding Level:
Level Description
Level 1 Critical
Error Level 2
Warning Level 3
Level 4 Information
Thus, to get information about the five most recent error occurred in the System Event Log of the machine CHI-DC01 then you type the command:
C: \> WEVTUTIL QE system "/ q: * [System [(Level = 2)]]" / f: text / c: 5 / rd: True / r: chi-dc01 | more
Or converted into text format using the command switch:
C: \> WEVTUTIL QE system "/ q: * [System [(Level = 2)]]" / f: text / c: 5 / rd: True / r: chi-dc01> d: \ dc01-system-err . txt
Or to execute more complex:
C: \> WEVTUTIL QE system "/ q: * [System [(Level = 2 or Level = 3)]]" / f: text / c: 5 / rd: True / r: chi-dc01 | more
But you need to be careful, because the uppercase and often there must be absolutely accurate.
Advanced Query with Order Management Console Event Viewer:

For complex queries, we should start the Event Viewer and Management graphical user interface to query. Then look at the XML file and store the necessary information on Command Line. For frequently used components, then you should save the text file, then enter the query. Examples are as follows:
<QueryList>
<Query Id="0" Path="System">
<select Path="System"> * [System [Provider [@ Name = 'Microsoft-Windows-EapHost' or @ Name = 'Service Control Manager'] and (Level = 1 or Level = 2 or Level = 3) and TimeCreated [timediff (@ SystemTime) <= 604800000 ]]]</ Select>
</ Query>
</ QueryList>
Copy and save this code into a text file, then we can use the query in the Command Line:
C: \> WEVTUTIL QE s: \ scmquery.txt / sq: true / c: 5 / f: text / r: chi-fp01
Instead, we log file name explicitly specify the path to the XML query and set parameters / sq to True. Without Event match, the system will not return any relevant data. In the next article, we will together see more about how to manage the Event Log. I wish you success!
 
boblgoomDate: Friday, 2016-05-06, 1:31 PM | Message # 2
Private
Group: Users
Messages: 1
Reputation: 0
Status: Offline
The Event Log Explorer implemented the possibility to export data and generate reports . You can export the logs as a whole, combining several magazines , all sampling events and individual events in Microsoft Excel , CSV - text, HTML , etc. Report Generator allows you to print a variety of presentation and event logs , and create analytic reports .Built-in scheduler allows you to automate the regular export of data , including pooled from different magazines and filtered , and automatically print reports.
You can buy http://eventlogxp.com/.
 
talabala2002Date: Wednesday, 2023-12-13, 4:09 PM | Message # 3
Private
Group: Users
Messages: 1
Reputation: 0
Status: Offline
اکادمی من

Added (2023-12-13, 4:14 PM)
---------------------------------------------
بهترین مطالب علمی

 
Saigontech Forum » AAS IT House » Computer Systems Networking and Telecommunications » Event Log Management Command Line
  • Page 1 of 1
  • 1
Search:

Note: You take all responsibilities for your talk, post, blog...at Saigontechforum. Think Before You Speak