In the past I've been confronted with screens that mentioned log files being full, getting overwritten, etcetera.
WINDOWS SERVER 2008 SECURITY EVENT LOGS WINDOWS
Windows Logs can get pretty large pretty fast. You can specify a *.evtx backup file using the /bu: switch though, if you feel like it. In contrast with the graphical Event Viewer it won't even ask you if you're OK cleaning it without making a backup. This command is the simplest command of them all and pretty destructive. To clean specific logs you can just use cl command: You can use the query switch to target specific events in time, by Source or by Event-ID. This might result in a rather large exported log file. Wevtutil.exe epl Security C:\ExportedSecurityLog.evtx /ow:true For instance, to export the Security Log you can use: You can easily clean logs by using the epl command from wevtutil.exe. When you're required to export your logs (for debugging, troubleshooting or legal reasons) the wevtutil executable is your best friend. Where the time difference between the local time is measured in seconds. Wevtutil.exe qe System /q:*[System[(EventID=16) and /f:text This output would not be very convenient if you're experiencing this error often, so you might (for instance) want to narrow down the time scope, by introducing a second query element that specifies you only want to see the events from the last 7 days: For instance, when you want to locate all events with Event-ID 16 in the System Log and want them to be returned in human readable format your command line would look something like this: Again the trick is to target the right System Log. Now that we're used to querying X-Path style it's not really that hard anymore to query for events in a specific log with specific Event-IDs. Wevtutil.exe qe System Source ']]] /rd:true /f:text /c:3 View entries with specific Event ID To view the three most recent events from the System log (for instance) you can just use the following command: This information will point you in the right direction. The only downside to this is you need to understand which kind of events appear in which event log. A quick search however revealed a small trick by Nick Wienholt to eavesdrop these queries from a regular Graphical Event Viewer utility. Unfortunately the TechNet article discussing wevtutil.exe doesn't give any examples for using this type of queries. When you're after information regarding specific sources that are not in the enumerated logs list you're bound to using an X-Path query. (to redirect the output to a text file, that you can open using notepad.exe) View recent entries with specific source The length and relevance of this list might justify the use of the | more command switch (to control scrolling through the screen) or > enumeratedlogs.txt command switch. (specified with the /c switch)įor a list of specific logs you can issue the command to enumerate the logs on the machine: The output will be in human readable format (text instead of xml) and only the first three events will be returned. Wevtutil.exe qe Setup /rd:true /c:3 /f:textĮach command will query events (qe) in the log specified in reverse direction (newest first). Wevtutil.exe qe ForwardedEvents /rd:true /c:3 /f:text Wevtutil.exe qe Security /rd:true /c:3 /f:text Wevtutil.exe qe Application /rd:true /c:3 /f:text Wevtutil.exe qe System /rd:true /c:3 /f:text If your goal is to view the three recent entries in one of the standard event logs you're done with just a couple of simple commands: Of course you can access Server Core event logs from a remote computer using eventvwr.exe or eventvwr.msc, like you can with other Windows (Server) boxes. Unlike these Operating Systems in Server Core your only way to work with (entries in) the event logs on the console is through wevtutil. The information in this post is not specific for the Server Core installation option of Windows Server 2008. Both the full installation of Windows Server 2008 and Windows Vista contain the wevtutil executable as well.
Windows Server 2008 Server Core doesn't have a graphical event viewer. There is a tool called wevtutil.exe that allows you work your log magic on the console, you can use the Event Viewer on another (graphical) machine to open the event logs of your Server Core box, but you might also opt for a nice event log subscription that forwards event log entries to a dedicated event log machine.
0 kommentar(er)
