Recipe 16.2. Viewing Events

Problem

You want to view events in an event log.

Solution

Using a graphical user interface

Open the Event Viewer (eventvwr.msc). To connect to a remote computer, in the left pane right-click the Event Viewer icon and select Connect to another computer.
In the left pane, click on the event log containing the events you want to view.
Double-click on an event you want to view in the right pane.

Using a command-line interface

You can use the following command to list the events in an event log. In this example, the last ten records from the Application log are displayed. Both commands have numerous other options to view events, so look at the help information for more.

> eventquery.vbs /s <ComputerName> /l <LogName> /R <MaxEvents>

For example:

> eventquery.vbs /s wks01 /l Application /R 10

Using downloadable software

The Sysinternals psloglist utility is similar to eventquery.vbs. Here is the basic syntax:

> psloglist \\<ComputerName> -n <MaxEvents> <LogName>

This example is functionally equivalent to the previous eventquery.vbs example:

> psloglist \\wks01 -n 10 Application

Both psloglist and eventquery.vbs have numerous other command line options. Check each command's Help information for the complete syntax.

Using VBScript

' This code displays events in an Event Log. ' ------ SCRIPT CONFIGURATION ------ strLog = "<LogName>"       ' e.g. Application intNum = <intMax>          ' e.g. 10  (Max number of events to display) strComputer = "<ComputerName>" ' e.g. wks01 (use "." for local machine) ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") set colLogs = objWMI.ExecQuery("Select * from Win32_NTEventlogFile " & _                                " Where Logfilename = '" & strLog & "'") if colLogs.Count > 1 then    WScript.Echo "Fatal error.  Number of logs found: " & colLogs.Count    WScript.Quit end if for each objLog in colLogs    intLogMax = objLog.NumberofRecords next if intLogMax > intNum then    intNum = intLogMax - intNum else    intNum = intLogMax end if set colEvents = objWMI.ExecQuery("Select * from Win32_NTLogEvent " &                  "Where Logfile = '" & strLog & "' and RecordNumber >= " & intNum) for each objEvent in colEvents    Wscript.Echo "Date: " & objEvent.TimeWritten    Wscript.Echo "Source: " & objEvent.SourceName    Wscript.Echo "Category: " & objEvent.Category    Wscript.Echo "Type: " & objEvent.Type    Wscript.Echo "Event Code: " & objEvent.EventCode    Wscript.Echo "User: " & objEvent.User    Wscript.Echo "Computer: " & objEvent.ComputerName    Wscript.Echo "Message: " & objEvent.Message    WScript.Echo "------" next

Discussion

An event log message is composed of several fields. Here is an explanation of each field:

Date: Date the event occurred. Example: 3/15/2005
Time: Time the event occurred. Example: 12:09:23A.M.
Type: Information, Warning, or Error.
User: User account that caused the event to be generated (if applicable). Example: AMER\rallen
Computer: Computer the event was generated on. Example: RALLEN-WXP
Source: Application or process that generated the event. Example: Automatic Updates
Category: Used to classify events within a source. Example: Download
Event ID: Number that identifies the event within the source and category. Example: 2512
Description: Contents of the event message.