A Hidden Gem

I often trouble shoot remote systems and in some environments and domains, viewing the EventLog thru MMC can be problematic.  In one particular environment, MMC will timeout or even hang 3 out of 4 tries.  While working on a better solution for historical tracking, I stumbled across a hidden gem.  It’s WEVTUTIL.EXE and it comes with your OS.  I found that it always worked in my problem environment.  Documentation is pretty sparse but there are some good blog posts out there.  The one that will give you the most trouble is the query string but once you understand it’s pretty much an XML query, you’ve got it licked.  Here are a couple of handy examples:

Look for any ‘MyService’ events that happened on 9/13 on MyServer1

wevtutil qe Application /q:"*[System[Provider[@Name=’MyService’] and TimeCreated[@SystemTime >= ‘2010-09-13T00:00:00.000Z’ and @SystemTime < ‘2010-09-14T00:00:00.000Z’]]]" /r:MyServer1

Look for any error EventLog entries in the past 24 hours on MyServer2

wevtutil qe Application /q:"*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]" /r:MyServer2

Note that you must have EventLog read permissions on the target servers.  I’m not sure why this works and MMC does not but it got me out of the weeds.  You can always wrap the call in PowerShell and parse or reformat the output.

Happy Coding!

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s