Zoho Banner September 2011

Windows Server 2008 (and Vista) offer improved options for event log management.  For example, you now have the option to forward events to a central event collector server.  You also now have powerful filtering capabilities.  One of the features I like is the Wevtutil command-line tool that allows you to retrieve, query, archive, export and clear events.   It’s the best option you have if you use Server Core and don’t want to open the firewall to allow remote access using the Event Viewer UI.

Recently, I had to schedule the export of events using Wevtutil using a time-based query.  It took me a little while to get the query syntax right, so I thought I would share it with you here.

Let’s take a scenario in which you want to export all events from in the past 24 hours from the security log to a *.evtx file.  (Note. The default format for exported event log files in Vista and Windows Server 2008 is *.evtx.  For a good explanation of the differences between evt and evtx see this blog entry).   You can leverage the Windows Event Viewer (eventvwr) to assist you with obtaining the query required to filter the log to show only events from the past 24 hours.  To do this, click on your event log of choice (in this case Security).  In the right-hand action pane click Filter Current Log.  Within the Filter tab, select the drop-down list next to Logged and choose Last 24 hours.  Now click on the XML tab.   The query is embedded within the XML content, as follows:

 *[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]

xml-query.jpg

The Wevtutil command to use the filter is shown below (may wrap).

wevtutil.exe epl Security C:\SecurityLog24hours.evtx “/q:*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]” /ow:true

Note that you have to replace the “&lt;” escape sequence meaning “less than” from the XML original with the “<” character, otherwise the query does not work and you will receive the error:

Failed to export log Security. The specified query is invalid.

The time-based filter I have used in this example only scratches the surface of the query capabilities you have with Wevtutil.  The fact that you can leverage the capabilities within the Event Viewer UI to assist with building the queries takes a lot of the pain away.  For more information about Wevtutil, including all the available command line options, see this page on Microsoft Technet.

2 Comments

  1. Constantijn Blondel says:

    Ages after the original post, of course, but thank you very much from a random google visitor, who happened to look for precisely this nugget of information! :)

    Cheers!

  2. vedat says:

    you may change your script and try as in follows;
    wevtutil.exe epl Security C:\SecurityLog24hours.evtx
    /ow:True
    /q:”*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]”

Leave a Reply