Q: What tools can I use to dump to a file the content of the Windows event log files on remote systems and query the event logs for occurrences of certain Windows event IDs?

A: The easiest way to dump Windows event log files and to query them for certain events is to use the built-in Microsoft Management Console (MMC) Windows Event Viewer snap-in. When you load the Event Viewer snap-in, you can select whether you want to connect to the local machine or a remote machine.

  • To dump the entire contents of an event log container (e.g., the Security container), select the container in the Event Viewer snap-in, then select the Save Log File As option in the Action menu. In the resulting dialog box, you can save the file in a Windows event log file format (*.evt), tab-delimited file (*.txt) or comma-separated file (*.csv).
  • To query the event log for certain Windows event Ids, select the container in the Event Viewer, then select the Filter option in the View menu. In the resulting properties dialog box, type the Event ID of the event for which you want to query.

To use a command line to dump the content of the Windows event log in a Windows 2000 environment, you can use tools such as Microsoft’s dumpel.exe or Systinternals’ psloglist.exe. The following dumpel command, for example, will dump all events in the security log on a server named myserver to a file named security.xls:

  dumpel -f security.xls -s myserver -l security   Dumpel can also filter out certain event types when it dumps the event log content. For example, to filter out event ID 528 in the earlier example, type:   dumpel -f security.xls -s myserver -l security -e 528   You can download dumpel.exe from the Microsoft Web site at http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp. Psloglist.exe, which is available from the Sysinternals Web site at http://www.sysinternals.com/Utilities/PsLogList.html, also works with Windows Server 2003 and Windows XP systems.

In Windows 2003 and XP, Microsoft added a new event query tool called Eventquery to query the Windows event logs from the command line. Eventquery is a Visual Basic (VB)-based query tool and should be your preferred query tool for Windows 2003 and XP environments.

To use Eventquery to find the last 10 security-related events on a machine named myserver, for example, you would type the following at the command line:

  eventquery /s myserver /r -10 /fo LIST /l security    


A nice tool to query the local and remote event logs from the Windows GUI is the eventcombmt.exe utility, which Figure 1 shows. This tools works on Windows 2000, Windows XP and Windows Server 2003. Eventcombmt.exe is included in the Account lockout and management tools (http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e) and in the Security Operations Guide for Windows 2000 (http://www.microsoft.com/downloads/details.aspx?FamilyId=9989D151-5C55-4BD3-A9D2-B95A15C73E92&displaylang=en).

Eventcombmt lets an administrator look for occurrences of a single event ID, multiple event IDs, a range of event IDs, specific event types or sources, or a specific event message text. The eventcombmt tool drops the results of its query in the eventcombmt.txt file in a system’s temporary folder.

If you like scripting, you can also use the Windows Management Instrumentation (WMI) interfaces to dump and query the Windows event logs. For more information on WMI have a look at the following URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/wmi_start_page.asp.