the other day I linked on wevtutil. once you get used to using it.. . the thing rocks!
One other thing, I cheat hardcore with this tool. If you use the event log to build your query then copy the filter string to the command line you're golden and have less heartburn.
For example, I want to create a query to pull out capi2 errors with an event id of 513 out of the application log, and I only want the previous 24 hours.
so how do you do it. . . . .Times up. here's the easy way:
Open the event log click on the application log and in the right pane select filter current log
Select from the logged drop down box : last 24 hours
In event sources: select CAPI2
Type the event number 513 in teh all event ids field
Wait!!! no!!! don't click okay!
Click the xml tab, notice anything interesting?
--------------- snippet
*[System[Provider[@Name='Microsoft-Windows-CAPI2'] and TimeCreated[timediff(@SystemTime) <= 86400000]]]
-----------------------
Looking good right? Nope we got to change one piece, < this needs to be changed to < the less than sign.
So now we take this wonderfully formated text and add it to our wevtutil command
wevtutil qe Application /q:"*[System[Provider[@Name='Microsoft-Windows-CAPI2'] and (Level=1 ) and (EventID=513) and TimeCreated[timediff(@SystemTime) <= 86400000]]]" /c:1 /f:text /rd:True
You'll notice that I added some switches too, like /c:1. What I was looking for was if it happened at all in the past 24 hours show me only one. I was using it to trigger an alert to have an engineer look into the issue.
also /rd:true = Reverse direction aka newest first.
Many thanks! There's an extra ] in the example, but thank you for idea of filtering with and.
ReplyDeleteExtra note: you still use single quotes for Provider Name even if there's a space, such as [System[Provider[@Name='Symantec AntiVirus'] for XML View Provider Name="Symantec AntiVirus"
Oops, there isn't an extra ]
DeleteAnyway, the single quotes holds