Reading EventViewer from the Command-Line
Using wmic
The wmic NTEVENT command can be used to dump out the contents of EventViewer logs to the command-line. Here’s an example:
wmic NTEVENT WHERE "LogFile='security' AND TimeGenerated > '20100709173000.000000-300'"
The TimeGenerated is NOT epoch, but is a string in the form of YYYYMMDDHHmmSS.uuuuuu-ZZZ where:
| Label | Meaning |
|---|---|
| Y | Year |
| M | Month |
| D | Day |
| H | Hour |
| m | Minute |
| S | Second |
| u | Microsecond |
| - | Literally, a - |
| Z | Timezone offset in minutes from UTC (not hours) |
It’s also possible to add a GET to the query like so:
wmic NTEVENT WHERE "LogFile='security' AND TimeGenerated > '20100709173000.000000-300'" GET TimeGenerated
And here’s how to output as a CSV file:
wmic NTEVENT WHERE "LogFile='security' AND TimeGenerated > '20100709173000.000000-300'" GET TimeGenerated,User /format:csv
See also:
- http://technet.microsoft.com/en-us/library/cc784189%28WS.10%29.aspx
- http://xinn.org/misc-scripts/wmic.txt
WMITools.exe can do a lot of this stuff, but practically locks up my system.
Using Microsoft Log Parser
Microsoft has a tool called Log Parser that can can also parse the event logs.