Command-line event-log access
Every Windows Server 2003, Windows XP, Windows 2000, and Windows NT system contains three or more logs. These logs are terrific sources of information; however, they're a pain to access. If you have 1000 workstations and servers, you have at least 3000 logs to examine regularly—yuck. Let's take a look at a command-line tool in Windows 2003 and XP that you can use to gather and filter event-log events from local and remote machines, even pre-XP machines.
Eventquery is a VBScript program, so you typically must use cscript.exe to invoke it. However, if you want Eventquery to behave like any other .exe program, you can simply tell your system to always use cscript.exe when you type eventquery (or the name of any VBScript program). To do so, type:
cscript //h:cscript //s
at a command prompt and press Enter. You can now type just eventquery rather than
If you type only eventquery, your system will dump all the records in all the event logs on the computer at which you're sitting. To narrow the output to just one log, you can use the /l parameter (Eventquery is case insensitive, so you can also use /L), followed by the name of the log that you want to see. For example, typing
eventquery /l "dns server"
would dump only the DNS server service log. (You need to enclose the log's name in quotes if the name contains a space.)
To have Eventquery dump information from a remote system's log, you use the /s systemname, /u username, and /p password options. For example, to dump the Security log on a remote system named MYPC, using account Jane with password HeLL0, you'd type
eventquery /l security /s mypc /u jane /p HeLL0
Even restricting your query to one system and one log can yield more information than you want. Thankfully, Eventquery lets you use the /r (range) and /fi (filter) options to restrict the information that it returns. You give the /r option a number or a range of numbers in one of three formats. For example, the /r 10 option requests the 10 most recent events, the /r -10 option requests the 10 oldest events, and the /r 10-20 option requests the 10th through the 20th most recent events.
The most cryptic and most powerful part of Eventquery, however, is the /fi option. For example, to see only those events in the Security log with event IDs of 528 (a type of audit success), you'd type
eventquery /l security /fi "id eq 528"
The "id eq 528" value is in quotes because it contains spaces. Because you can't use an equals sign (=) with Eventquery, eq represents is equal to. Other operators that Eventquery recognizes include ne (not equal), ge (greater than or equal to), le (less than or equal to), gt (greater than), and lt (less than). In addition to filtering the event-log records by event ID, Eventquery lets you filter the records by when the event occurred, the type of event, username, computer name, and the event-log item's source or category.
If you need to build a query that uses the logical OR operator, you're in luck: Eventquery understands this operator. For example, suppose you have logon-failure auditing enabled, and you want to see which users have failed while attempting to connect to your computer. You need to see only event IDs 529 and 680, so you'd type:
eventquery /l security /fi "id eq 529 or id eq 680"
You can also combine your filter options. For example, you could ask to see only the past 20 events:
eventquery /l security /fi "id eq 529 or id eq 680" /r 20
But what if you want to ask for all IDs between 528 and 540? Unfortunately, Eventquery doesn't support the logical AND operator, but you can use multiple filters to achieve the same result. For example, you can ask for all records greater than or equal to 528 and those less than or equal to 540 by typing
eventquery /l security /fi "id ge 528" /fi "id le 540"
Eventquery isn't in the same league as Microsoft Operations Manager (MOM), but the utility lets you easily put together batch files that grab specified event-log information from particular servers. With the /fo (format) parameter, you can even tell Eventquery to report data in comma-delimited format (i.e., /fo csv). So, it's a snap to pump Eventquery's output into Microsoft Excel or a database.