JSI Tip 7296. The Windows XP and Windows Server 2003 EventQuery utility.

Jerold Schulman

October 7, 2003

2 Min Read
ITPro Today logo in a gray background | ITPro Today

When you use the Windows XP CMD help., or Windows Server 2003 CMD help, and press Eventquery on the New command-line tools page, you see:

Eventquery.vbs

Lists the events and event properties from one or more event logs.

Syntax

eventquery[.vbs][/s Computer [/u DomainUser [/p Password]]][/fi FilterName][/fo {TABLE | LIST | CSV}][/r EventRange[/nh][/v][/l [APPLICATION] [SYSTEM] [SECURITY] ["DNS server"] [UserDefinedLog] [DirectoryLogName] [*] ]

Parameters

/s ComputerSpecifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer./u DomainUserRuns the script with the account permissions of the user specified by User or DomainUser. The default is the permissions of the current logged on user on the computer issuing the command./p PasswordSpecifies the password of the user account that is specified in the /u parameter./fi FilterNameSpecifies the types of events to include in or exclude from the query. The following are valid filter names, operators, and values.

Name

Operator

Value

Datetime

eq, ne, ge, le, gt, lt

mm/dd/yy(yyyy), hh:mm:ssAM(/PM)

Type

eq, ne

{ERROR | INFORMATION | WARNING | SUCCESS | SUCCESSAUDIT | FAILUREAUDIT}

ID

eq, ne, ge, le, gt, lt

Any valid positive integer.

User

eq, ne

Any valid string.

Computer

eq, ne

Any valid string.

Source

eq, ne

Any valid string.

Category

eq, ne

Any valid string

/fo {TABLE | LIST | CSV}Specifies the format to use for the output. Valid values are table, list, and csv./r EventRangeSpecifies the range of events to list.

Value

Description

N

Lists N most recent events.

-N

Lists N oldest events.

N1-N2

Lists the events from N1 to N2.

/nhSuppresses column headers in the output. Valid only for table and csv formats./vSpecifies that verbose event information be displayed in the output./l [APPLICATION] [SYSTEM] [SECURITY] ["DNS server"] [UserDefinedLog] [DirectoryLogName] [*] Specifies the log(s) to monitor. Valid values are Application, System, Security, "DNS server", a user-defined log, and Directory log. "DNS server" can be used only if the DNS service is running on the computer specified by the /s parameter. To specify more than one log to monitor, reuse the /l parameter. The wildcard (*) can be used and is the default./?Displays help at the command prompt.

Remarks

  • To run this script, you must be running CScript. If you have not already set the default Windows Script Host to CScript, type:

    cscript //h:cscript //s //nologo

Examples

The following examples show how you can use the eventquery command:

eventquery /l system
eventquery /l mylog
eventquery /l application /l system
eventquery /s srvmain /u maindomhiropln /p p@ssW23 /v /l *
eventquery /r 10 /l application /nh
eventquery /r -10 /fo LIST /l security
eventquery /r 5-10 /l "DNS server"
eventquery /fi "Type eq Error" /l application
eventquery /fi "Datetime eq 06/25/00,03:15:00AM/06/25/00,03:15:00PM" /l application
eventquery /fi "Datetime gt 08/03/00,06:20:00PM" /fi "id gt 700" /fi "Type eq warning" /l system



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like