Using WEVTUTIL to Manage Event Logs

by [Published on 13 March 2008 / Last Updated on 13 March 2008]

In addition to the new subscription option that Event Viewer now possesses, there is a new command line utility, WEVTUTIL, which allows you to control nearly every aspect of the Event Viewer logs.

The time has finally arrived where Microsoft has spent the time and energy to provide us all with a useful Event Viewer. Windows Vista and Windows Server 2008 come with a revamped Event Viewer, as well as some additional tools that really make using the Event Viewer something that is easy to manage. In addition to the new subscription option that Event Viewer now possesses, there is a new command line utility, WEVTUTIL, which allows you to control nearly every aspect of the Event Viewer logs.

WEVTUTIL Command and Syntax

The WEVTUTIL command comes with a tremendous amount of power and the parameters and switches are proof of that. Since the WEVTUTIL command can control nearly every aspect of the Event Viewer and logs, there must be a lot of parameters and switches to control these details.

The main structure of the syntax for WEVTUTIL is the following:

wevtutil [{el | enum-logs}] [{gl | get-log} <Logname> [/f:<Format>]]
[{sl | set-log} <Logname> [/e:<Enabled>] [/i:<Isolation>] [/lfn:<Logpath>] [/rt:<Retention>] [/ab:<Auto>] [/ms:<Size>] [/l:<Level>] [/k:<Keywords>] [/ca:<Channel>] [/c:<Config>]] 
[{ep | enum-publishers}] 
[{gp | get-publisher} <Publishername> [/ge:<Metadata>] [/gm:<Message>] [/f:<Format>]] [{im | install-manifest} <Manifest>] 
[{um | uninstall-manifest} <Manifest>] [{qe | query-events} <Path> [/lf:<Logfile>] [/sq:<Structquery>] [/q:<Query>] [/bm:<Bookmark>] [/sbm:<Savebm>] [/rd:<Direction>] [/f:<Format>] [/l:<Locale>] [/c:<Count>] [/e:<Element>]] 
[{gli | get-loginfo} <Logname> [/lf:<Logfile>]] 
[{epl | export-log} <Path> <Exportfile> [/lf:<Logfile>] [/sq:<Structquery>] [/q:<Query>] [/ow:<Overwrite>]] 
[{al | archive-log} <Logpath> [/l:<Locale>]] 
[{cl | clear-log} <Logname> [/bu:<Backup>]] [/r:<Remote>] [/u:<Username>] [/p:<Password>] [/a:<Auth>] [/uni:<Unicode>]

As with any command, the parameters, there are some switches that are mandatory, while others are optional. The syntax is also extremely important, as some references need colons (:), others use a space between the switch and path, and others need quotes (“ “). The following table describes each parameter and gives syntax for the optional switches. You can get a more in-depth view and description of the parameters and options from the Microsoft TechNet Wevtutil page.

Parameter

Description

{el | enum-logs}

Displays the names of all logs, including all of the new Windows logs with their syntax.

{gl | get-log} <Logname> [/f:<Format>]

Allows you to specify a log, which will then display the status of the log. The status and information will include whether the log is enabled/disabled, sizing limits of the log, and the path to where the log is stored.

{sl | set-log} <Logname> [/e:<Enabled>] [/i:<Isolation>] [/lfn:<Logpath>] [/rt:<Retention>] [/ab:<Auto>] [/ms:<Size>] [/l:<Level>] [/k:<Keywords>] [/ca:<Channel>] [/c:<Config>]

Allows you to modify the detailed configurations of the log that you specify.

{ep | enum-publishers}

Displays the event publishers on the local computer. The event publishers are software components that can generate events and then deliver them to the Event Viewer.

{gp | get-publisher} <Publishername> [/ge:<Metadata>] [/gm:<Message>] [/f:<Format>]]

Allows you to specify the event publisher, which will then display the configuration information for that publisher.

{qe | query-events} <Path> [/lf:<Logfile>] [/sq:<Structquery>] [/q:<Query>] [/bm:<Bookmark>] [/sbm:<Savebm>] [/rd:<Direction>] [/f:<Format>] [/l:<Locale>] [/c:<Count>] [/e:<Element>]

This allows you to obtain the events for a specified log. The log can either be from the event viewer, a log file, or using a structured query. In most cases you will just type the log name for the <Path>. If you use the /lf option, then you will need to input the path to the log file that you want to read. To use a structured query, you must use the /sq parameter along with the path to the structured query.

{gli | get-loginfo} <Logname> [/lf:<Logfile>]

Allows you to gather information about the event log or log file. This is good to see overall information for the log.

{epl | export-log} <Path> <Exportfile> [/lf:<Logfile>] [/sq:<Structquery>] [/q:<Query>] [/ow:<Overwrite>]

Allows you to export events to a file. You can export from a log in Event Viewer, a log file or using a structured query. Exports events from an event log, from a log file, or using a structured query to the specified file. In most cases you will just type the log name for the <Path>. If you use the /lf option, then you will need to input the path to the log file that you want to read. To use a structured query, you must use the /sq parameter along with the path to the structured query. The <Exportfile> is the path to the file where you want the exported events to be stored.

{al | archive-log} <Logpath> [/l:<Locale>]

Allows you to archive the log that you specify. The archive location will be a subdirectory with all of the information stored in the subdirectory.

{cl | clear-log} <Logname> [/bu:<Backup>]

Allows you to clear the events from the log that you specify. If you want to perform a backup of the cleared events, you can use the /bu option.

Table 1

Useful Examples Using WEVTUTIL

With so many new logs and publishers with Windows Vista and Windows Server 2008, it is nice to know you do not have to memorize all of them. Of course, you can always look in the Event Viewer to see all the listings. The problem with this option is that you do not always know the syntax for the log or publisher that you want to focus on. Instead, you can use one of the following commands to get the listing of all of the logs and publishers.

Example 1: Figure 1 shows how to get a full listing of all of the event logs from the local computer.


Figure 1:
Using the el parameter will get you a full listing of the event logs on the local computer

Example 2: Figure 2 shows how to get a full listing of all of the event publishers from the local computer.


Figure 2:
Using the ep parameter will get you a full listing of the event publishers on the local computer

Example 3: Figure 3 shows how to get information about a single event log.


Figure 3:
Using the gl parameter and the event log name will display the information about that log

Example 4: Figure 4 shows how you can export events from an event viewer log to a file for archiving or storage purposes.


Figure 4:
Using the epl parameter allows you to export an event log to a file

Example 5: Figure 5 illustrates how you can clear a log, in conjunction with making a backup of the log before it is cleared.


Figure 5:
Using the cl parameter in conjunction with the /bu:<path> switch will backup the log and then clear it

Summary

As you can see, the control that you have with your event logs is much better with WEVTUTIL. This tool comes with Windows Vista and Windows Server 2008, allowing control over nearly every aspect of the logs that are generated. Windows Vista and Windows Server 2008 come with a new full range of logs that you can utilize, and now with this command line utility, you can manage them better. You can also manage the logs and archiving of the logs using the WEVTUTIL command, either with a VBScript or in conjunction with your favorite scripting tool. If you use PowerShell, you can also manage WEVTUTIL using this interface.

Featured Links