Query window event log for the last two weeks

Question

Query window event log for the last two weeks

I'm trying to export a Windows event log, but I limit the exported events not according to the number, but depending on the time the event was logged. I am trying to do this on Windows 7 and newer. So far, my efforts have focused on using wevtutil.

I am using wevtutil and now my command line is: wevtutil Application events.evtx The problem is that I am exporting the entire log and this can be quite large, so I want to limit it only to the last 2 weeks.

I found this post, but, first of all, it does not produce any output on my system (yes, I changed the dates and times), and secondly, it seems to depend on the date format, which I try to avoid.

The following is a modified command:

 wevtutil qe Application "/q:*[System[TimeCreated[@SystemTime>='2012-10-02T00:00:00' and @SystemTime<'2012-10-17T00:00:00']]]" /f:text

I had to replace < and > to the actual characters since otherwise I received a syntax error. This command produces empty output.

+7

windows windows-7 cmd windows-server-2008-r2 event-log

Ivaylo strandjev Oct 16 '12 at 13:43

source share

4 answers

The problem is with / q: inside quotation marks. It should be outside, for example:

 wevtutil qe Application /q:"*[System[TimeCreated[@SystemTime>='2012-10-02T00:00:00' and @SystemTime<'2012-10-17T00:00:00']]]" /f:text

This works great for me.

+10

Codeguard Apr 11 '13 at 7:40

source share

I highly recommend using LogParser for this task:

 logparser -i:evt file:query.sql

With query.sql containing something like this:

 SELECT TimeGenerated,EventID,SourceName,Message FROM Application WHERE TimeGenerated > TO_TIMESTAMP(SUB(TO_INT(SYSTEM_TIMESTAMP()), 1209600)) ORDER BY TimeGenerated DESC

A somewhat unintuitive date calculation converts the system time ( SYSTEM_TIMESTAMP() ) to an integer ( TO_INT() ), subtracts 1209600 seconds (60 * 60 * 24 * 14 = 2 weeks) and converts the result back to a time TO_TIMESTAMP() ), which gave a date from 2 weeks ago.

You can parameterize the time interval by replacing a fixed number of seconds with MUL(86400, $days) and changing the command line to this:

 logparser -i:evt file:query.sql+days=14

You can also pass the request directly to logparser:

 logparser -i:evt "SELECT TimeGenerate,EventID,SourceName,Message FROM ..."

+2

Ansgar wiechers Oct 16 '12 at 17:45

source share

For events of the last 2 weeks, you can also use timediff to avoid timediff dates.

Windows uses milliseconds, so it will be 1000 * 86400 (seconds, = 1 day) * 14 (days) = 1209600000.

Upon your request, it will look like

 wevtutil qe Application /q:"*[System[TimeCreated[timediff(@SystemTime) <= 1209600000]]]" /f:text /c:1

I added /c:1 to get only 1 event in the example, since there are a lot of events in the last 2 weeks.

You can also specify only a warning and errors. You can use (Level=2 or Level=3) . (For some reason, Level<4 doesn't seem to work for me on Win7)

 wevtutil qe Application /q:"*[System[(Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) <= 1209600000]]]" /f:text /c:1

+2

mivk Mar 07 '16 at 19:29

source share

joebalt · Accepted Answer · 2012-10-16T17:54:34+0000

I do not know how you feel about PowerShell, but it is available on all systems that you have noted.

At the powershell command line, see Get-Help Get-EventLog -Examples for more information.

If you need to do this from a .cmd or .bat file, you can call powershell.exe -File powershell_script_file_name

where powershell_script_file_name contains the Get-EventLog commands (s) that you need.

This example shows all the failures of the security event log that I use to audit systems:

 Get-EventLog -LogName security -newest 1000 | where {$_.entryType -match "Failure"}

Query window event log for the last two weeks

More articles: