Wednesday, 2 July 2014

Viewing and Filtering Event Logs Using Command Prompt

Viewing and Filtering Event Logs

You can view events recorded in the Windows event logs using the Eventquery utility. Eventquery flags set the format of the output, control the level of detail, and allow you to use filters to include or exclude events from the result set. When working with Eventquery, don’t overlook the power of automation. You don’t have to run the command manually each time. Instead, you can create a script to query the event logs on multiple systems and then save the results to a file. If you copy that file to a published folder on an intranet server, you can use your Web browser to examine event listings. Not only will that save you time, it will give you a single location for examining event logs and determining if there are issues that require further study.

Viewing Events and Formatting the Output

The basic syntax for Eventquery is

eventquery /l "LogName"
where LogName is the name of the log you want to work with, such as “Application,” “System,” or “Directory Service.” In this example, you examine the Application log:
eventquery /l "Application"
The output of this query would look similar to the following:

-------------------------------------------------------------------------------



Listing the events in 'application' log of host 'MAILER1'



-------------------------------------------------------------------------------



Type          Event   Date        Time         Source              ComputerName



------------- ------- ------------------------ ------------------- ------------



Warning       9220    5/19/2004   4:38:01 PM   MSExchangeMTA       MAILER1



Information   1001    5/19/2004   4:28:50 PM   MSExchangeIS        MAILER1



Information   9600    5/19/2004   4:28:50 PM   MSExchangeIS        MAILER1



Information   9523    5/19/2004   4:28:50 PM   MSExchangeIS Publ   MAILER1



Information   9523    5/19/2004   4:28:49 PM   MSExchangeIS Mail   MAILER1



Information   9523    5/19/2004   4:28:48 PM   MSExchangeIS Publ   MAILER1



Information   9523    5/19/2004   4:28:47 PM   MSExchangeIS Mail   MAILER1



Information   9523    5/19/2004   4:28:46 PM   MSExchangeIS Mail   MAILER1



Information   3000    5/19/2004   4:28:45 PM   MSExchangeIS Publ   MAILER1



Information   1133    5/19/2004   4:28:41 PM   MSExchangeIS Publ   MAILER1
As you can see, the output shows the Type, Event, Date Time, Source, and ComputerName properties of events. Using the /V (verbose) option, you can add category, user, and description properties to the output. Thus, if you wanted a verbose view of the application log, you’d use the command:
eventquery /l "Application" /v
Note 
Technically, the quotation marks are necessary only when the log name contains a space, as is the case with the DNS Server, Directory Service, and File Replication Service logs. However, I recommend using the quotation marks all the time; that way, you won’t forget them when they are needed and they won’t cause your scripts or scheduled tasks to fail.
Tip 
Unlike previous command-line utilities that we’ve worked with, Eventquery is configured as a Windows script. If this is your first time working with Windows scripts from the system’s command line or you’ve configured WScript as the primary script host, you will need to set CScript as the default script host. You do this by typing cscript // h:cscript //s at the command prompt. This is necessary because you want to work with the command line rather than with the GUI.
Real World 
The script host is set on a per-user basis and if you are running a script as a specific user, that use might not have CScript configured as the default script host. An effective workaround for this is to enter cscript //h:cscript //s as a line of the script and then enter your event queries.
Eventquery runs by default on the local computer with the permissions of the user who is currently logged on. As necessary, you can also specify the remote computer whose tasks you want to query and the Run As permissions by using the expanded syntax which includes the following parameters:
/s Computer /u [Domain\]User [/p Password]
where Computer is the remote computer name or IP address, Domain is the optional domain name in which the user account is located, User is the name of the user account whose permissions you want to use, and Password is the optional password for the user account. For example, if you wanted to examine directory service events on MAILER1 using the Adatam\WRStanek account, you could use the following command:
eventquery /l "Directory Service" /s Mailer1 /u Adatam\WRStanek
Note 
If you don’t specify the domain, the current domain is assumed. If you don’t provide the account password, you are prompted for the password.
The syntax can be extended to include the following format options as well:
  • /Nh  Removes the heading row from the output of Table- or CSV-formatted data.
  • /Fo Format  Changes the output format, which by default is table (/Fo Table). Use /Fo Csv to format the output as comma-separated values. Use /Fo List to format the output as a list.
Where Eventquery gets interesting is in the range and filter facilities. With ranges, you can view
  • The N most recent events  Type /r N where N is the number of recent events to view, such as /r 50 for the 50 most recent events.
  • The N oldest events  Type /r -N where -N is the number of the oldest events to view, such as /r -50 for the 50 oldest events.
  • Events from N1 to N2  Type /r N1-N2 where N1 is the first event and N2 is the last event to view, with 1 being the most recent event recorded, 2 being the next previous event recorded, and so on. For example, to see events 10 to 20 you’d use /r 10-20.

Filtering Events

One of the key reasons for using Eventquery is its ability to use filters to include or exclude events from the result set. Typically, you won’t want to see every event generated on a system. More often, you will want to see only warnings or critical errors, and that is precisely what filters are for. Using filters, you can include only events that match the criteria you specify.
Any of the information fields available can be filtered, even if the information field is only listed with the verbose flag (/V) and you haven’t specified the verbose flag for the current command. This means you can filter events by type, date time, source, computer name, event ID, category, and user.
You designate how a filter should be applied to a particular Eventquery information field using filter operators. The filter operators available are
  • Eq  Equals. If the field contains the specified value, the event is included in the output.
  • Ne  Not equals. If the field contains the specified value, the event is excluded from the output.
  • Gt  Greater than. If the field contains a numeric value and that value is greater than the value specified, the event is included in the output.
  • Lt  Less than. If the field contains a numeric value and that value is less than the value specified, the event is included in the output.
  • Ge  Greater than or equal to. If the field contains a numeric value and that value is greater than or equal to the value specified, the event is included in the output.
  • Le  Less than or equal to. If the field contains a numeric value and that value is less than or equal to the value specified, the event is included in the output.
As Table 6-1 shows, the values that can be used with filter operators depend on the event information field you are using. Again remember that all fields are available even if they aren’t normally displayed with the parameters you’ve specified. For example, you can match the status field without using the /V (verbose) flag.
Table 6-1: Filter Operators and Valid Values for Eventquery
Filter Field Name
Valid Operators
Valid Values
Category
eq, ne
Any valid string of characters.
Computer
eq, ne
Any valid string of characters.
Datetime
eq, ne, gt, lt, ge, le
Any valid time in the format mm/dd/yy, hh:mm:ssAM or mm/dd/yy, hh:mm:ssPM.
ID
eq, ne, gt, lt, ge, le
Any valid positive integer, up to 65,535.
Source
eq, ne
Any valid string of characters.
Type
eq, ne
Information, Warning, Error, SuccessAudit, FailureAudit.
User
eq, ne
Any valid user name, with user name only or in domain\user format.
Quotation marks must be used to enclose the filter string. Consider the following examples to see how filters can be used:
Look for error events in the application log: 
eventquery /l "application" /fi "type eq error"
Look for system log events on MAILER1 that occurred after
midnight on 05/06/04:

eventquery /s Mailer1 /l "system" /fi "date gt 05/06/04,00:00:00AM"
Look for DNS server log errors on MAILER1 with event ID 4004: 
eventquery /s Mailer1 /l "dns server" /fi "id eq 4004"
Enter multiple /Fi parameters to specify that output must match against multiple filters: 

eventquery /l "system" /fi "date gt 05/06/04,00:00:00AM" /fi "type 



eq error"
Here, Eventquery would examine the system logs for error events that were created after midnight on 05/06/04. Keep in mind that filters are mutually exclusive. You can’t specify that you want to see both error and warning events using a single command line. You would need to enter two different commands. One with /Fi “type eq error” and the other with /Fi “type eq warning.”
However, if you are working with a log other than security (in which only success audit and failure audit events are logged), you can simply specify that you don’t want to see informational events. That way, you will only see warning and error events as shown in the following example:
eventquery /l "system" /fi "type ne information"
You can automate the event querying process by creating a script that obtains the event information you want to see and then writes it to a text file. Consider the following example:

@echo off



eventquery /s Mailer1 /l "system" /r 100 /fi "type ne information" > 



\\CorpIntranet01\www\currentlog.txt













eventquery /s Mailer1 /l "application" /r 100 /fi "type ne 



information" >> \\CorpIntranet01\www\currentlog.txt













eventquery /s Mailer1 /l "directory service" /r 100 /fi "type ne 



information" >> \\CorpIntranet01\www\currentlog.txt
Here, you are examining the system, application and directory service event logs on MAILER1 and writing any resulting output to a network share on CorpIntranet01. If any of the named logs have warning or error events among the 100 most recent events in the logs, the warnings or errors are written to the Currentlog.txt file. Because the first redirection is overwrite (>) and the remaining entries are append (>>), any existing Currentlog.txt file is overwritten each time the script runs. This ensures only current events are listed. To take the automation process a step further, you can create a scheduled task that runs the script each day or at specific intervals during the day.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)