Wednesday, September 30, 2009

Query the windows event logs via the command line

Today someone told me "You can find if bibblebob happened by looking in the event viewer". I automate things so I went hunting for a CLI tool to accomplish this task. wevtutil is its name-o. The query language for wevtutil is confusing. I recommend using the eventvwr.exe GUI to build a custom query, and then pass that query to wevtutil. Here's an example of finding all the times DHCP started:
C:\Windows\System32>wevtutil qe System /rd:true /f:text /q:"*[System[(EventID=50036)]]" |more
Event[0]:
  Log Name: System
  Source: Microsoft-Windows-Dhcp-Client
  Date: 2009-09-22T17:42:54.667
  Event ID: 50036
  Task: Service State Event
  Level: Information
  Opcode: ServiceStart
  Keyword: N/A
  User: S-1-5-19
  User Name: NT AUTHORITY\LOCAL SERVICE
  Computer: igordm1.redmond.corp.microsoft.com
  Description:
DHCPv4 client service is started

Event[1]:
  Log Name: System
  Source: Microsoft-Windows-Dhcp-Client
  Date: 2009-09-17T20:46:36.179
  Event ID: 50036
  Task: Service State Event
  Level: Information
  Opcode: ServiceStart
  Keyword: N/A
  User: S-1-5-19
  User Name: NT AUTHORITY\LOCAL SERVICE
  Computer: igordm1.redmond.corp.microsoft.com
  Description:
DHCPv4 client service is started
Good Hunting!

No comments: