Query windows event log for the past two weeks
Asked Answered
B

4

11

I am trying to export a windows event log but limit the exported events not according to number but according to time the event was logged. I am trying to do that on windows 7 and newer. So far my efforts are focused on using wevtutil.

I am using wevtutil and my command line now is: wevtutil Application events.evtx The problem here is that I export the whole log and this can be quite big so I want to limit it just to the last 2 weeks.

I have found this post but first of all it does not seem to produce any output on my system(yes I have changed the dates and time) and second it seems to be dependent on the date format which I try to avoid.

Here is the modified command I ran:

wevtutil qe Application "/q:*[System[TimeCreated[@SystemTime>='2012-10-02T00:00:00' and @SystemTime<'2012-10-17T00:00:00']]]" /f:text

I had to replace the &lt; and &gt; with the actual symbols as I got a syntax error otherwise. This command produces empty output.

Boonie answered 16/10, 2012 at 13:43 Comment(0)
A
3

I don't know how you feel about PowerShell, but it's available on all the systems you tagged.

From a powershell prompt, see Get-Help Get-EventLog -Examples for more info.

If you have to do this from a .cmd or .bat file, then you can call powershell.exe -File powershell_script_file_name

where powershell_script_file_name has the Get-EventLog command(s) you need in it.

This example gives all the Security Event Log failures, I use to audit systems:

Get-EventLog -LogName security -newest 1000 | where {$_.entryType -match "Failure"}
Alasteir answered 16/10, 2012 at 17:54 Comment(1)
As I want to incorporate this in a script we are shipping with the product we are developing we would like to avoid dependency to powershell(legal and licensing issues).Boonie
L
18

The problem is due to /q: being inside quotes. It should be outside, like:

wevtutil qe Application /q:"*[System[TimeCreated[@SystemTime>='2012-10-02T00:00:00' and @SystemTime<'2012-10-17T00:00:00']]]" /f:text

This works just fine for me.

Lukelukens answered 11/4, 2013 at 7:40 Comment(2)
Still not working for me. This command again produces empty output.Boonie
This time, you must have forgotten to put the correct dates. I copy-pasted this into commandline, fixed dates, and it worked. Also, I have implemented that in code for our crash diagnostics system and it works just fine.Lukelukens
Q
14

For the events of the last 2 weeks, you could also use timediff, to avoid hard-coding dates.

Windows uses milliseconds, so it would be 1000 * 86400 (seconds, = 1 day) * 14 (days) = 1209600000.

For your query, that would look like

wevtutil qe Application /q:"*[System[TimeCreated[timediff(@SystemTime) <= 1209600000]]]" /f:text /c:1

I added /c:1 to get only 1 event in the example, since there are many events in the last 2 weeks.

You may also want to only list warning and errors. For that, you can use (Level=2 or Level=3). (For some reason, Level<4 doesn't seem to work for me on Win7)

wevtutil qe Application /q:"*[System[(Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) <= 1209600000]]]" /f:text /c:1
Quartan answered 7/3, 2016 at 19:29 Comment(1)
You may also want to include critical messages: Level=1 or Level=2 or Level=3. To construct a query graphically, you can use Event Viewer: In the Actions pane or Action menu, click Filter Current Log. Choose the desired logging options. Click on the XML tab to generate the structured query.Yurik
A
3

I don't know how you feel about PowerShell, but it's available on all the systems you tagged.

From a powershell prompt, see Get-Help Get-EventLog -Examples for more info.

If you have to do this from a .cmd or .bat file, then you can call powershell.exe -File powershell_script_file_name

where powershell_script_file_name has the Get-EventLog command(s) you need in it.

This example gives all the Security Event Log failures, I use to audit systems:

Get-EventLog -LogName security -newest 1000 | where {$_.entryType -match "Failure"}
Alasteir answered 16/10, 2012 at 17:54 Comment(1)
As I want to incorporate this in a script we are shipping with the product we are developing we would like to avoid dependency to powershell(legal and licensing issues).Boonie
T
2

I strongly recommend using LogParser for this kind of task:

logparser -i:evt file:query.sql

With query.sql containing something like this:

SELECT
  TimeGenerated,EventID,SourceName,Message
FROM Application
WHERE TimeGenerated > TO_TIMESTAMP(SUB(TO_INT(SYSTEM_TIMESTAMP()), 1209600))
ORDER BY TimeGenerated DESC

The somewhat unintuitive date calculation converts the system time (SYSTEM_TIMESTAMP()) to an integer (TO_INT()), subtracts 1209600 seconds (60 * 60 * 24 * 14 = 2 weeks) and converts the result back to a timestamp (TO_TIMESTAMP()), thus producing the date from 2 weeks ago.

You can parameterize the timespan by replacing the fixed number of seconds with MUL(86400, $days) and changing the commandline to this:

logparser -i:evt file:query.sql+days=14

You can also pass the query directly to logparser:

logparser -i:evt "SELECT TimeGenerate,EventID,SourceName,Message FROM ..."
Triliteral answered 16/10, 2012 at 17:45 Comment(2)
I would like to avoid using additional executables that are not part of the standard windows distribution if possible.Boonie
You can just copy the LogParser executable and DLL to a location of your choice and run it from there, but that's your decision, of course.Triliteral

© 2022 - 2024 — McMap. All rights reserved.