WEVTUTIL queries

Community

Email Notifications

.NET Performance

It is possible to query the event log in Windows Vista using the WEVUTIL command line tool, passing any arbitrarily complex query. Unfortunately, the syntax needed by the query command line paramter (/q) doesn't seem to be documented (I was searching for this syntax when I got my own article back) Thanks to Ted Barnes for the question.

I've found that the simpliest way to get the search query is to let Vista do the heavy lifting for you. First, create a filter, as shown below

Then, save the filter to a custom view

Bring up the properties of this custom view

And edit the filter

Apply whatever filter you need

And then copy the text of the Select element to as the /q paramter

In this case, the syntax would be: wevtutil qe System /rd:true /f:text /q:*[System[(EventID=7036)]]

Posted: Nov 21 2006, 04:58 AM by nick | with no comments

Filed under: .NET

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.

Recent Posts

Tags

Community

Email Notifications

Archives

.NET Performance

WEVTUTIL queries