Event Logs and Remote Event Log access

You can use the Event Viewer MMC snap-in to remotely view the event logs on. With Windows XP/2003 you don’t get all the latest functionality available with the new event logs in Server 2007

Command Line Event Log access

Working with the event logs from the command line has improved in Server 2007 Core. The old eventquery VBScript has been replaced by a new command line tool:

wevtutil.exe.

Using the /el switch will provide a list of event logs you can query using the /qe switch.

Common switches that come in handy

/c:5 – Count. Specifies how many records you want returned, in this example 5

/rd – Reverse Direction. By default the oldest events are displayed first, so if you used the /c switch to dump 5 events you would get the first 5 in the log, probably not the events you’re most interested in. To see the 5 most recent events you would specify /c:5 /rd:True

/f: – Format. By default the output is raw xml and when dumped out to the screen it isn’t the most readable output. Use /f:text to see the events in plain text.

/e – Element. If you’re dumping your log in XML, you must use this switch and specify a root element to get well formed XML.

So if you wanted to see the most recent event in the system log in text format, you would run:

Wevtutil qe /f:text /c:1 /rd:true system

To show this event in xml and dump it to a network share, run:

Wevtutil qe /c:1 /rd:true /e:root system > \\computer\share\system.xml