Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
JSI Tip 7296. The Windows XP and Windows Server 2003 EventQuery utility.
Jerold Schulman
October 7, 2003
2 Min Read
When you use the Windows XP CMD help., or Windows Server 2003 CMD help, and press Eventquery on the New command-line tools page, you see:
Eventquery.vbs
Lists the events and event properties from one or more event logs.
Syntax
eventquery[.vbs][/s Computer [/u DomainUser [/p Password]]][/fi FilterName][/fo {TABLE | LIST | CSV}][/r EventRange[/nh][/v][/l [APPLICATION] [SYSTEM] [SECURITY] ["DNS server"] [UserDefinedLog] [DirectoryLogName] [*] ]
Parameters
/s ComputerSpecifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer./u DomainUserRuns the script with the account permissions of the user specified by User or DomainUser. The default is the permissions of the current logged on user on the computer issuing the command./p PasswordSpecifies the password of the user account that is specified in the /u parameter./fi FilterNameSpecifies the types of events to include in or exclude from the query. The following are valid filter names, operators, and values.
Name | Operator | Value |
|---|---|---|
Datetime | eq, ne, ge, le, gt, lt | mm/dd/yy(yyyy), hh:mm:ssAM(/PM) |
Type | eq, ne | {ERROR | INFORMATION | WARNING | SUCCESS | SUCCESSAUDIT | FAILUREAUDIT} |
ID | eq, ne, ge, le, gt, lt | Any valid positive integer. |
User | eq, ne | Any valid string. |
Computer | eq, ne | Any valid string. |
Source | eq, ne | Any valid string. |
Category | eq, ne | Any valid string |
/fo {TABLE | LIST | CSV}Specifies the format to use for the output. Valid values are table, list, and csv./r EventRangeSpecifies the range of events to list.
Value | Description |
|---|---|
N | Lists N most recent events. |
-N | Lists N oldest events. |
N1-N2 | Lists the events from N1 to N2. |
/nhSuppresses column headers in the output. Valid only for table and csv formats./vSpecifies that verbose event information be displayed in the output./l [APPLICATION] [SYSTEM] [SECURITY] ["DNS server"] [UserDefinedLog] [DirectoryLogName] [*] Specifies the log(s) to monitor. Valid values are Application, System, Security, "DNS server", a user-defined log, and Directory log. "DNS server" can be used only if the DNS service is running on the computer specified by the /s parameter. To specify more than one log to monitor, reuse the /l parameter. The wildcard (*) can be used and is the default./?Displays help at the command prompt.
Remarks
To run this script, you must be running CScript. If you have not already set the default Windows Script Host to CScript, type:
cscript //h:cscript //s //nologo
Examples
The following examples show how you can use the eventquery command:
eventquery /l system
eventquery /l mylog
eventquery /l application /l system
eventquery /s srvmain /u maindomhiropln /p p@ssW23 /v /l *
eventquery /r 10 /l application /nh
eventquery /r -10 /fo LIST /l security
eventquery /r 5-10 /l "DNS server"
eventquery /fi "Type eq Error" /l application
eventquery /fi "Datetime eq 06/25/00,03:15:00AM/06/25/00,03:15:00PM" /l application
eventquery /fi "Datetime gt 08/03/00,06:20:00PM" /fi "id gt 700" /fi "Type eq warning" /l system
About the Author
You May Also Like
.png?width=700&auto=webp&quality=80&disable=upscale)