PsLoglist

Filtering
Windows event logs record an incredible amount of information, much of which reflects the normal operation of a system. Scrolling through hundreds or thousands of records looking for significant events is infeasible, so PsLoglist includes a number of filtering options that let you limit the output to the events in which you're interested.

The -f argument takes a string of letters that represent the starting letter of the event types you want PsLoglist to dump. For example, to see only errors and warnings, use a command such as

psloglist -f ew 

Sometimes you might be interested in only certain event sources, or you might want to omit sources from the output. The -o option lets you specify event sources to include; the -q option lets you specify event sources to omit. Both options accept event source names within quotation marks and permit multiple source names, separated by commas. The following syntax will dump event-log records generated by the Windows Update Agent and NtServicePack sources:

psloglist -o "windows update agent","ntservicepack" 

Additional event-filtering options let you narrow the output to records that have certain IDs or to exclude specific IDs. The -i option restricts printed records to those matching as many as 10 event IDs (separated by commas) and the -e option excludes records that match as many as 10 event IDs (again, separated by commas).

Many systems administrators use PsLoglist in daily scripts to dump events from the previous day. This type of filtering is possible by using the -d switch, which takes a number that PsLoglist interprets as the age in days of the oldest record you want to print. The -h switch works similarly but lets you specify the age in hours. And if you want records from within a particular date range, use the -a switch to specify the start date and the -b switch to specify the end date (with the dates formatted as dd/mm/yy).

One more filtering option is the -w switch, which tells PsLoglist to dump the records that you've specified by using other options, wait, then dump new records that match the filtering criteria, as those records generate. This filter can be useful when you want to configure another script or program to monitor PsLoglist's output and respond to event-record generation in real time, with programmed behaviors.

A Perfect Fit
PsLoglist is a Swiss-army knife event log-management utility that can simplify and optimize the analysis of event logs across your enterprise. Its rich feature set and evolution over time in response to user feedback helps this tool fit almost any management scheme. You can download the tool at http://www.sysinternals.com/utilities/psloglist.html.