Command Line Event Logs - Part 2


In my last article Command Line Event Logs I introduced the command line utility WEVTUTIL.EXE, which you can use to get event log information on your Windows 7 machine. In this article, I want to show you how to use it to manage the event logs themselves. Remember, you can always ask the utility for help.

If some of the parameters don’t make sense to you in the following examples, take a few minutes to go back and read Command Line Event Logs – Part 1.

Listing Logs

The first task to look at is enumerating all the event logs. You might also need to know the log name for query purposes. All we need to do is use the el or enum-logs parameter. Here are the logs on the remote server CHI-FP01:

I piped to MORE to send results in pages. The server is running Windows Server 2008 R2 so it has all of the new diagnostic logs. Once you’ve identified a log, you can get additional information on it using the gli or get-log-info parameter.

The file size is in bytes and I can see that there are almost 2,400 entries in the Application log. Here’s a little trick if you want to build a report for one or more logs. First, create a text file of all the log names you are interested in. You can do this manually, or send output to a text file.

Now, use the FOR command to get log information for every log in the list and redirect to another text file.

Depending on what log names are in the list and the computer you query, you might get some errors. In my case I built the text file from Windows 7, but queried Windows Server 2008 R2, so some logs don’t exist. Naturally the better step is to create platform specific lists. But I hope you get the idea.

Get Log Configuration

In addition to details about the log contents, we can use this tool to discover log properties such as whether it is enabled, its file name and size. Use the gl or Get-Log parameter.

Set Log Configuration

If I want to modify a log setting, such as maximum file size I’ll use the sl or Set-Log parameter. I’m going to change the max file size on the backup log to about 2MB.

Re-querying the log I can see my change in effect.

To see all of the set options, look at help for this command.

Export Logs

I can export an entire log to a file using the epl or export-log parameter.

Be sure to get parameters in the right order. You must specify the log name first and then the target file. If you have created an XML query and saved it to a file, like I did in Part 1, you can also use that query to export selected events. Simply substitute the path to your query file in place of the log name.

There is one very important caveat here when you export logs on remote computers: the target path is relative to the remote computer. So in my examples, the exported logs are in C:\Work on CHI-FP01. However, you can use a UNC as part of the path. Use this export feature for log backups.

Clear Logs

The last task you may have is to clear an event log. This is easily accomplished with the cl or clear-log parameter.

If you didn’t export events first, you can use the /bu parameter as I’m doing here and create a backup log first. As with exporting, the path is relative to the computer and you can use a UNC.

Checking the log again, I can see that I was successful.


Using WEVTUTIL takes a little practice so try these commands out in a test environment first. In future articles I’ll show you how to accomplish these same tasks using Windows PowerShell.

Related Topics:

  • Windows Client OS

    Don't have a login but want to join the conversation? Sign up for a Petri Account