Viewing and Filtering Event Logs

Previous page
Table of content
Next page

  < Day Day Up > 


You can view events recorded in the Windows event logs using the Eventquery utility. Eventquery flags set the format of the output, control the level of detail, and allow you to use filters to include or exclude events from the result set. When working with Eventquery, don’t overlook the power of automation. You don’t have to run the command manually each time. Instead, you can create a script to query the event logs on multiple systems and then save the results to a file. If you copy that file to a published folder on an intranet server, you can use your Web browser to examine event listings. Not only will that save you time, it will give you a single location for examining event logs and determining if there are issues that require further study.

Viewing Events and Formatting the Output

The basic syntax for Eventquery is

eventquery /l "LogName"

where LogName is the name of the log you want to work with, such as “Application,” “System,” or “Directory Service.” In this example, you examine the Application log:

eventquery /l "Application"

The output of this query would look similar to the following:

-------------------------------------------------------------------------------
Listing the events in 'application' log of host 'MAILER1'
-------------------------------------------------------------------------------
Type          Event   Date        Time         Source              ComputerName
------------- ------- ------------------------ ------------------- ------------
Warning       9220    5/19/2004   4:38:01 PM   MSExchangeMTA       MAILER1
Information   1001    5/19/2004   4:28:50 PM   MSExchangeIS        MAILER1
Information   9600    5/19/2004   4:28:50 PM   MSExchangeIS        MAILER1
Information   9523    5/19/2004   4:28:50 PM   MSExchangeIS Publ   MAILER1
Information   9523    5/19/2004   4:28:49 PM   MSExchangeIS Mail   MAILER1
Information   9523    5/19/2004   4:28:48 PM   MSExchangeIS Publ   MAILER1
Information   9523    5/19/2004   4:28:47 PM   MSExchangeIS Mail   MAILER1
Information   9523    5/19/2004   4:28:46 PM   MSExchangeIS Mail   MAILER1
Information   3000    5/19/2004   4:28:45 PM   MSExchangeIS Publ   MAILER1
Information   1133    5/19/2004   4:28:41 PM   MSExchangeIS Publ   MAILER1

As you can see, the output shows the Type, Event, Date Time, Source, and ComputerName properties of events. Using the /V (verbose) option, you can add category, user, and description properties to the output. Thus, if you wanted a verbose view of the application log, you’d use the command:

eventquery /l "Application" /v
Note

Technically, the quotation marks are necessary only when the log name contains a space, as is the case with the DNS Server, Directory Service, and File Replication Service logs. However, I recommend using the quotation marks all the time; that way, you won’t forget them when they are needed and they won’t cause your scripts or scheduled tasks to fail.
Tip

Unlike previous command-line utilities that we’ve worked with, Eventquery is configured as a Windows script. If this is your first time working with Windows scripts from the system’s command line or you’ve configured WScript as the primary script host, you will need to set CScript as the default script host. You do this by typing cscript // h:cscript //s at the command prompt. This is necessary because you want to work with the command line rather than with the GUI.
Real World

The script host is set on a per-user basis and if you are running a script as a specific user, that use might not have CScript configured as the default script host. An effective workaround for this is to enter cscript //h:cscript //s as a line of the script and then enter your event queries.

Eventquery runs by default on the local computer with the permissions of the user who is currently logged on. As necessary, you can also specify the remote computer whose tasks you want to query and the Run As permissions by using the expanded syntax which includes the following parameters:

/s Computer /u [Domain\]User [/p Password]

where Computer is the remote computer name or IP address, Domain is the optional domain name in which the user account is located, User is the name of the user account whose permissions you want to use, and Password is the optional password for the user account. For example, if you wanted to examine directory service events on MAILER1 using the Adatam\WRStanek account, you could use the following command:

eventquery /l "Directory Service" /s Mailer1 /u Adatam\WRStanek

Note

If you don’t specify the domain, the current domain is assumed. If you don’t provide the account password, you are prompted for the password.

The syntax can be extended to include the following format options as well:

  • /Nh Removes the heading row from the output of Table- or CSV-formatted data.

  • /Fo Format Changes the output format, which by default is table (/Fo Table). Use /Fo Csv to format the output as comma-separated values. Use /Fo List to format the output as a list.

Where Eventquery gets interesting is in the range and filter facilities. With ranges, you can view

  • The N most recent events Type /r N where N is the number of recent events to view, such as /r 50 for the 50 most recent events.

  • The N oldest events Type /r -N where -N is the number of the oldest events to view, such as /r -50 for the 50 oldest events.

  • Events from N1 to N2 Type /r N1-N2 where N1 is the first event and N2 is the last event to view, with 1 being the most recent event recorded, 2 being the next previous event recorded, and so on. For example, to see events 10 to 20 you’d use /r 10-20.

Techniques for filtering events are discussed in the next section.

Filtering Events

One of the key reasons for using Eventquery is its ability to use filters to include or exclude events from the result set. Typically, you won’t want to see every event generated on a system. More often, you will want to see only warnings or critical errors, and that is precisely what filters are for. Using filters, you can include only events that match the criteria you specify.

Any of the information fields available can be filtered, even if the information field is only listed with the verbose flag (/V) and you haven’t specified the verbose flag for the current command. This means you can filter events by type, date time, source, computer name, event ID, category, and user.

You designate how a filter should be applied to a particular Eventquery information field using filter operators. The filter operators available are

  • Eq Equals. If the field contains the specified value, the event is included in the output.

  • Ne Not equals. If the field contains the specified value, the event is excluded from the output.

  • Gt Greater than. If the field contains a numeric value and that value is greater than the value specified, the event is included in the output.

  • Lt Less than. If the field contains a numeric value and that value is less than the value specified, the event is included in the output.

  • Ge Greater than or equal to. If the field contains a numeric value and that value is greater than or equal to the value specified, the event is included in the output.

  • Le Less than or equal to. If the field contains a numeric value and that value is less than or equal to the value specified, the event is included in the output.

As Table 6-1 shows, the values that can be used with filter operators depend on the event information field you are using. Again remember that all fields are available even if they aren’t normally displayed with the parameters you’ve specified. For example, you can match the status field without using the /V (verbose) flag.

Table 6-1: Filter Operators and Valid Values for Eventquery

Filter Field Name

Valid Operators

Valid Values

Category

eq, ne

Any valid string of characters.

Computer

eq, ne

Any valid string of characters.

Datetime

eq, ne, gt, lt, ge, le

Any valid time in the format mm/dd/yy, hh:mm:ssAM or mm/dd/yy, hh:mm:ssPM.

ID

eq, ne, gt, lt, ge, le

Any valid positive integer, up to 65,535.

Source

eq, ne

Any valid string of characters.

Type

eq, ne

Information, Warning, Error, SuccessAudit, FailureAudit.

User

eq, ne

Any valid user name, with user name only or in domain\user format.

Quotation marks must be used to enclose the filter string. Consider the following examples to see how filters can be used:

Look for error events in the application log: 

eventquery /l "application" /fi "type eq error"

Look for system log events on MAILER1 that occurred after
midnight on 05/06/04: 

eventquery /s Mailer1 /l "system" /fi "date gt 05/06/04,00:00:00AM"

Look for DNS server log errors on MAILER1 with event ID 4004: 

eventquery /s Mailer1 /l "dns server" /fi "id eq 4004"

Enter multiple /Fi parameters to specify that output must match against multiple filters: 

eventquery /l "system" /fi "date gt 05/06/04,00:00:00AM" /fi "type 
eq error"

Here, Eventquery would examine the system logs for error events that were created after midnight on 05/06/04. Keep in mind that filters are mutually exclusive. You can’t specify that you want to see both error and warning events using a single command line. You would need to enter two different commands. One with /Fi “type eq error” and the other with /Fi “type eq warning.”

However, if you are working with a log other than security (in which only success audit and failure audit events are logged), you can simply specify that you don’t want to see informational events. That way, you will only see warning and error events as shown in the following example:

eventquery /l "system" /fi "type ne information"

You can automate the event querying process by creating a script that obtains the event information you want to see and then writes it to a text file. Consider the following example:

@echo off
eventquery /s Mailer1 /l "system" /r 100 /fi "type ne information" > 
\\CorpIntranet01\www\currentlog.txt
 
eventquery /s Mailer1 /l "application" /r 100 /fi "type ne 
information" >> \\CorpIntranet01\www\currentlog.txt
 
eventquery /s Mailer1 /l "directory service" /r 100 /fi "type ne 
information" >> \\CorpIntranet01\www\currentlog.txt

Here, you are examining the system, application and directory service event logs on MAILER1 and writing any resulting output to a network share on CorpIntranet01. If any of the named logs have warning or error events among the 100 most recent events in the logs, the warnings or errors are written to the Currentlog.txt file. Because the first redirection is overwrite (>) and the remaining entries are append (>>), any existing Currentlog.txt file is overwritten each time the script runs. This ensures only current events are listed. To take the automation process a step further, you can create a scheduled task that runs the script each day or at specific intervals during the day.


  < Day Day Up > 


Previous page
Table of content
Next page
Microsoft Windows Command-Line Administrator's Pocket Consultant
MicrosoftВ® WindowsВ® Command-Line Administrators Pocket Consultant
ISBN: 0735620385
EAN: 2147483647
Year: 2004
Pages: 114
Authors: William R. Stanek
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
C++ GUI Programming with Qt 3
C++ How to Program (5th Edition)
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy