Recipe8.9.Searching an Event Log on a Server | Windows Server Cookbook for Windows Server 2003 and Windows 2000

Recipe 8.9. Searching an Event Log on a Server

Problem

You want to search for events in a specific event log.

Solution

Using a graphical user interface

Open the Event Viewer (eventvwr.msc).
In the left pane, right-click on the event log you want to search and select Properties.
Click the Filter tab.
Enter the search criteria and click OK.

Another alternative for searching the event logs on a single host is the Event Comb utility, which I cover in Recipe 8.10.

Using a command-line interface

You can use the eventquery.vbs command on Windows Server 2003 to remotely query the event log of a server. The following command displays the last 10 events with event ID 105 on the host fs01:

> eventquery.vbs /S fs01 /R 10 /L Application /FI "ID eq 105"

On Windows 2000, you can use a combination of the elogdmp and findstr commands to find specific events. The following command displays events in the Application log that have the string 105 somewhere in the event (it could be in the description, the event ID, etc.):

> elogdmp server01 Application | findstr 105

Obviously this may not find exactly what you want, but since the output of elogdmp is comma-delimited, you can play around with what you pass to findstr to improve your odds of returning exactly what you want. For example:

> elogdmp server01 Application | findstr ",105,"

Using VBScript

' This code searches for events matching the specified criteria. ' ------ SCRIPT CONFIGURATION ------ intEventCode = <EventID>            ' Event ID to match; e.g., 105 strLog       = "<EventLogName>"     ' Event log name; e.g., Application intMaxNum    = <MaxNumberOfEvents>  ' Max events to return (0 for all) strServer    = "<ServerName>"       ' Use "." for local server ' ------ END CONFIGURATION --------- set objWMI = GetObject("winmgmts:\\" & strServer & "\root\cimv2") set colEvents = objWMI.ExecQuery("Select * from Win32_NTLogEvent " & _                                " Where Logfile = '" & strLog & "'" & _                                " and EventCode = " & intEventCode) count = 0 for each objEvent in colEvents    Wscript.Echo "Date: " & objEvent.TimeWritten    Wscript.Echo "Source: " & objEvent.SourceName    Wscript.Echo "Category: " & objEvent.Category    Wscript.Echo "Type: " & objEvent.Type    Wscript.Echo "Event Code: " & objEvent.EventCode    Wscript.Echo "User: " & objEvent.User    Wscript.Echo "Computer: " & objEvent.ComputerName    Wscript.Echo "Message: " & objEvent.Message    WScript.Echo "------"    WScript.Echo    count = count + 1    if intMaxNum > 0 and count >= intMaxNum then       WScript.Echo "Reached maximum threshold...exiting"       exit for    end if next

Discussion

The solutions in this recipe describe how to search events on a single server. If you want to search for events across multiple servers at the same time, look at Recipe 8.10.