Evolution in Windows events query tools.

Hello everybody.

Today I would like to add some of words about evolution. It's Evolution in Windows events query tools. It's very useful CLI-tools for every System Administrator.

Stage 1 - Yesterday

So, if you remember, we was beginning monitoring Windows events by Visual Basic Script. It was first cool script from Microsoft EVTQUERY.vbs. This script have found in Windows 2003 server OS.

So I could make queries by this script very easy:

cscript EVTQUERY.vbs /FO LIST /V /L Application /FI "Type eq Error" /FI "Datetime eq 09/13/2007,01:00:00AM-09/13/2007,12:59:59PM" 

cscript EVTQUERY.vbs /FO LIST /V /L Application /FI "Source eq DrWatson" /FI "Datetime eq 09/13/2007,01:00:00AM-09/13/2007,12:59:59PM" 

cscript EVTQUERY.vbs /FO LIST /V /L Application /FI "Source eq SceCli"   /FI "Datetime eq 09/13/2007,01:00:00AM-09/13/2007,12:59:59PM" 

Or I could make backup whole eventlog file: 

strComputer = "."

Set objArgs = WScript.Arguments  ' Создаем объект WshArguments

Set objNamedArgs=objArgs.Named  ' Создаем объект WshNamed

HostName = objNamedArgs("Host")

Set objWMIService = GetObject("winmgmts:" _

    & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & _

        strComputer & "\root\cimv2")

Set colLogFiles = objWMIService.ExecQuery _

    ("Select * from Win32_NTEventLogFile where LogFileName='Application'")

For Each objLogfile in colLogFiles

    errBackupLog = objLogFile.BackupEventLog("d:\evt\"& HostName &"_app.evt")

    If errBackupLog <> 0 Then        

        Wscript.Echo "The Application eventlog could not be backed up."

    End If

Next

Stage 2 - Today

With Windows 2008 server (or Window 7) and later we have Windows Events Command Line Utility WEvtUtil.exe.

This utility enables you to retrieve information about event logs and publishers, install and uninstall event manifests, run queries, and export, archive, and clear logs.

For example I can get status information about an event log or log file:

wevtutil gli Application

The following example displays the five most recent events from the Application log in text format:

wevtutil qe Application /c:5 /rd:true /f:text

Stage 3 - Tomorrow

And of course, the famous CLI-tool is Powershell! 

Really, I can get the list of all logs in OS easy:

Get-Eventlog -list

Or I can get the last five Error-events from Application log:

Get-Eventlog "Application" | Where-object {$_.EntryType -eq "Error"} | Select-object -last 5

Do you remember my message about long query? It's one! You have to get desire:

Get-Eventlog System -Newest 250 | Sort Source |

Group EntryType,Source | Out-GridView |

Select -ExpandProperty Group |

Format-Table -GroupBy Source -Property TimeGenerated,

Message -Wrap

Good luck.