Returning just the errors using Wevtutil.exe

Returning just the errors using Wevtutil.exe

  • Comments 4
  • Likes

I posted on how you can use Wevtutil to enumerate the event logs on server core or LH.  Someone left a comment asking how could they just return the errors from the System log instead of all the events.  Seems like a reasonable question and with a bit of research here is the solution.

 

This will query the SYSTEM log for all events with a level of 1 (critical) or a level of 2 (Error), dumps it out in text format with a count of 4. 

C:\Windows>wevtutil qe System "/q:*[System[(Level=1 or Level=2)]]" /f:text /RD:TRUE /C:4
Event[0]:
  Log Name: System
  Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
  Date: 2007-11-04T17:11:22.000
  Event ID: 1041
  Task: N/A
  Level: Error
  Opcode: N/A
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: Comp1
  Description:
Autoreconnect failed to reconnect user to session because authentication failed. (Access is denied.)

Event[1]:
  Log Name: System
  Source: Microsoft-Windows-GroupPolicy
  Date: 2007-11-04T14:04:33.147
  Event ID: 1006
  Task: N/A
  Level: Error
  Opcode: Start
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: Comp1
  Description:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

Event[2]:
  Log Name: System
  Source: TermDD
  Date: 2007-11-04T12:01:21.118
  Event ID: 56
  Task: N/A
  Level: Error
  Opcode: N/A
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: Comp1
  Description:
The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.

Event[3]:
  Log Name: System
  Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
  Date: 2007-11-04T11:44:23.000
  Event ID: 1041
  Task: N/A
  Level: Error
  Opcode: N/A
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: Comp1
  Description:
Autoreconnect failed to reconnect user to session because authentication failed. (Access is denied.)

Update:  Use the /r:<system> on the end to query a remote server.

More details on Event selection: http://msdn2.microsoft.com/en-us/library/aa385231.aspx

Comments
  • Hi Brad,

    I'm having a real struggle getting the query logic to work if passed into wevtutil, where it works with custom views (I've even pasted the query out of evtviewer just to prove it on the cmd line). Are there any good resources to help me create queries with qe /q option?

    The one that fails, that allegedly shouldn't is time based, e.g if want events from last hour :-

    wevtutil.exe qe System "/q:*[System[TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]" /f:text

    it fails with the &lt;= which means less than or equal to. This works fine in the evtviwer xml. I'm struggling to make time based queries (which of course are really cool for scripting) without it.

  • Wish I knew, but I dont.  Sorry!

  • Hey Brad, thanks -- excellent post that answered the exact question I was trying to answer.  Thank you for taking the time to write this up!

  • To answer Mark's query, you need to replace the "&lt;" escape sequence with the "<" less than character.  Then it should work.

    I've blogged out this here:

    http://www.open-a-socket.com/index.php/2008/11/28/exporting-event-logs-with-wevtutilexe-using-a-time-based-query/

    Tony

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment