Command Line Event Logs - Part 2
In my last article Command Line Event Logs I introduced the command line utility WEVTUTIL.EXE, which you can use to get event log information on your Windows 7 machine. In this article, I want to show you how to use it to manage the event logs themselves. Remember, you can always ask the utility for help.
C:\> wevtutil /?
If some of the parameters don’t make sense to you in the following examples, take a few minutes to go back and read Command Line Event Logs – Part 1.
The first task to look at is enumerating all the event logs. You might also need to know the log name for query purposes. All we need to do is use the el or enum-logs parameter. Here are the logs on the remote server CHI-FP01:
C:\>wevtutil el /r:chi-fp01 | more Analytic Application DNS Server DirectShowFilterGraph DirectShowPluginControl EndpointMapper ForwardedEvents HardwareEvents Internet Explorer Key Management Service Microsoft-IE/Diagnostic ...
I piped to MORE to send results in pages. The server is running Windows Server 2008 R2 so it has all of the new diagnostic logs. Once you’ve identified a log, you can get additional information on it using the gli or get-log-info parameter.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
C:\>wevtutil gli application /r:chi-fp01 creationTime: 2011-04-27T00:51:21.140Z lastAccessTime: 2011-04-27T00:51:21.140Z lastWriteTime: 2011-12-26T19:05:11.537Z fileSize: 2166784 attributes: 32 numberOfLogRecords: 2399 oldestRecordNumber: 1
The file size is in bytes and I can see that there are almost 2,400 entries in the Application log. Here’s a little trick if you want to build a report for one or more logs. First, create a text file of all the log names you are interested in. You can do this manually, or send output to a text file.
C:\>wevtutil el > c:\work\evtlogs.txt
Now, use the FOR command to get log information for every log in the list and redirect to another text file.
C:\>(for /f %i in (c:\work\evtlogs.txt) do @echo %i & wevtutil gli /r:chi-fp01 %i & echo.) > c:\work\chi-fp01-logs.txt
Depending on what log names are in the list and the computer you query, you might get some errors. In my case I built the text file from Windows 7, but queried Windows Server 2008 R2, so some logs don’t exist. Naturally the better step is to create platform specific lists. But I hope you get the idea.
Get Log Configuration
In addition to details about the log contents, we can use this tool to discover log properties such as whether it is enabled, its file name and size. Use the gl or Get-Log parameter.
C:\>wevtutil gl microsoft-windows-backup /r:chi-fp01 name: microsoft-windows-backup enabled: true type: Operational owningPublisher: Microsoft-Windows-Backup isolation: System channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;; ;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) logging: logFileName: %SystemRoot%\System32\Winevt\Logs\microsoft-windows-backup.evtx retention: false autoBackup: false maxSize: 1052672 publishing: fileMax: 1
Set Log Configuration
If I want to modify a log setting, such as maximum file size I’ll use the sl or Set-Log parameter. I’m going to change the max file size on the backup log to about 2MB.
C:\>wevtutil sl microsoft-windows-backup /r:chi-fp01 /ms:2097152
Re-querying the log I can see my change in effect.
C:\>wevtutil gl microsoft-windows-backup /r:chi-fp01 | find /I "maxsize" maxSize: 2097152
To see all of the set options, look at help for this command.
C:\>wevtutil sl /?
I can export an entire log to a file using the epl or export-log parameter.
C:\>wevtutil epl microsoft-windows-backup c:\work\fp01-backup.evtx /r:chi-fp01
Be sure to get parameters in the right order. You must specify the log name first and then the target file. If you have created an XML query and saved it to a file, like I did in Part 1, you can also use that query to export selected events. Simply substitute the path to your query file in place of the log name.
C:\>wevtutil epl s:\scmquery.txt c:\work\fp01-system-service.evtx /r:chi-fp01 /sq:true
There is one very important caveat here when you export logs on remote computers: the target path is relative to the remote computer. So in my examples, the exported logs are in C:\Work on CHI-FP01. However, you can use a UNC as part of the path. Use this export feature for log backups.
The last task you may have is to clear an event log. This is easily accomplished with the cl or clear-log parameter.
C:\>wevtutil cl microsoft-windows-backup /bu:\\chi-fp01\IT\FP01-Backuplog.evtx /r:chi-fp01
If you didn’t export events first, you can use the /bu parameter as I’m doing here and create a backup log first. As with exporting, the path is relative to the computer and you can use a UNC.
Checking the log again, I can see that I was successful.
C:\>wevtutil gli microsoft-windows-backup /r:chi-fp01 creationTime: 2011-08-02T16:26:37.657Z lastAccessTime: 2011-12-28T15:18:46.688Z lastWriteTime: 2011-12-28T15:18:46.688Z fileSize: 69632 attributes: 32 numberOfLogRecords: 0 oldestRecordNumber: 0
Using WEVTUTIL takes a little practice so try these commands out in a test environment first. In future articles I’ll show you how to accomplish these same tasks using Windows PowerShell.