Query windows event log for the past two weeks

windows windows-7 cmd windows-server-2008-r2 event-log

31,725

Solution 1

I don't know how you feel about PowerShell, but it's available on all the systems you tagged.

From a powershell prompt, see Get-Help Get-EventLog -Examples for more info.

If you have to do this from a .cmd or .bat file, then you can call powershell.exe -File powershell_script_file_name

where powershell_script_file_name has the Get-EventLog command(s) you need in it.

This example gives all the Security Event Log failures, I use to audit systems:

Get-EventLog -LogName security -newest 1000 | where {$_.entryType -match "Failure"}

Solution 2

The problem is due to /q: being inside quotes. It should be outside, like:

wevtutil qe Application /q:"*[System[TimeCreated[@SystemTime>='2012-10-02T00:00:00' and @SystemTime<'2012-10-17T00:00:00']]]" /f:text

This works just fine for me.

Solution 3

For the events of the last 2 weeks, you could also use timediff, to avoid hard-coding dates.

Windows uses milliseconds, so it would be 1000 * 86400 (seconds, = 1 day) * 14 (days) = 1209600000.

For your query, that would look like

wevtutil qe Application /q:"*[System[TimeCreated[timediff(@SystemTime) <= 1209600000]]]" /f:text /c:1

I added /c:1 to get only 1 event in the example, since there are many events in the last 2 weeks.

You may also want to only list warning and errors. For that, you can use (Level=2 or Level=3). (For some reason, Level<4 doesn't seem to work for me on Win7)

wevtutil qe Application /q:"*[System[(Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) <= 1209600000]]]" /f:text /c:1

Solution 4

I strongly recommend using LogParser for this kind of task:

logparser -i:evt file:query.sql

With query.sql containing something like this:

SELECT
  TimeGenerated,EventID,SourceName,Message
FROM Application
WHERE TimeGenerated > TO_TIMESTAMP(SUB(TO_INT(SYSTEM_TIMESTAMP()), 1209600))
ORDER BY TimeGenerated DESC

The somewhat unintuitive date calculation converts the system time (SYSTEM_TIMESTAMP()) to an integer (TO_INT()), subtracts 1209600 seconds (60 * 60 * 24 * 14 = 2 weeks) and converts the result back to a timestamp (TO_TIMESTAMP()), thus producing the date from 2 weeks ago.

You can parameterize the timespan by replacing the fixed number of seconds with MUL(86400, $days) and changing the commandline to this:

logparser -i:evt file:query.sql+days=14

You can also pass the query directly to logparser:

logparser -i:evt "SELECT TimeGenerate,EventID,SourceName,Message FROM ..."

View more solutions

31,725

Author by

Ivaylo Strandjev

Hi! Great to meet you! My name is Ivaylo and here is who I am: I have a twin brother and you can also find him somewhere in the community(http://stackoverflow.com/users/1108032/boris-strandjev) I graduated masters subject artificial intelligence in 2012 in Sofia University. For about 10 years I was doing math competitions and I have a lot of awards from those. Later I decided to transition to computer programming competitions(next bullet) One of my hobbies is doing computer programming competitions. I've been doing that since the fall of 2000 I have been teaching competitive programming, design and analysis of algorithms, advanced data structures as teaching assistant in Sofia University since 2007. I like teaching I love sports especially volleyball and I also go to the gym 4-5 times a week

Updated on March 08, 2020

Comments

Ivaylo Strandjev about 4 years
I am trying to export a windows event log but limit the exported events not according to number but according to time the event was logged. I am trying to do that on windows 7 and newer. So far my efforts are focused on using wevtutil.

I am using wevtutil and my command line now is: wevtutil Application events.evtx The problem here is that I export the whole log and this can be quite big so I want to limit it just to the last 2 weeks.

I have found this post but first of all it does not seem to produce any output on my system(yes I have changed the dates and time) and second it seems to be dependent on the date format which I try to avoid.

Here is the modified command I ran:
```
wevtutil qe Application "/q:*[System[TimeCreated[@SystemTime>='2012-10-02T00:00:00' and @SystemTime<'2012-10-17T00:00:00']]]" /f:text
```
I had to replace the < and > with the actual symbols as I got a syntax error otherwise. This command produces empty output.
Ivaylo Strandjev over 11 years

I would like to avoid using additional executables that are not part of the standard windows distribution if possible.
Ivaylo Strandjev over 11 years

As I want to incorporate this in a script we are shipping with the product we are developing we would like to avoid dependency to powershell(legal and licensing issues).
Ansgar Wiechers over 11 years

You can just copy the LogParser executable and DLL to a location of your choice and run it from there, but that's your decision, of course.
Ivaylo Strandjev about 11 years

Still not working for me. This command again produces empty output.
Codeguard over 10 years

This time, you must have forgotten to put the correct dates. I copy-pasted this into commandline, fixed dates, and it worked. Also, I have implemented that in code for our crash diagnostics system and it works just fine.
zett42 almost 4 years

You may also want to include critical messages: Level=1 or Level=2 or Level=3. To construct a query graphically, you can use Event Viewer: In the Actions pane or Action menu, click Filter Current Log. Choose the desired logging options. Click on the XML tab to generate the structured query.