Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

Displays events from event logs.

Syntax

eventquery [/s Computer [/u Domain\User [/p Password]]] [/fi Filter] 
[/fo {TABLE | LIST | CSV}] [/r EventRange [/nh] [/v] 
[/l [APPLICATION] [SYSTEM] [SECURITY] ["DNS server"] [UserDefinedLog] 
[DirectoryLogName] [*] ]

Options

/s Computer

Name or IP address of remote computer (if omitted, defaults to local
computer).

/u Domain\User /p Password

Credentials for running the command (if omitted, defaults to
currently logged-on user).

/fi Filter

Filter for specifying types of events to search for (enclose in
quotes). These can be:

Datetime {eq | ne | ge | le | gt | lt} {mm/dd/yy(yyyy) | hh:mm:ss{AM | PM}}

Type {eq | ne} {ERROR | INFORMATION | WARNING | SUCCESS | SUCCESSAUDIT | FAILUREAUDIT}

ID {eq | ne | ge | le | gt | lt} ValidInteger.

User {eq | ne} ValidString

Computer {eq | ne} ValidString

Source {eq | ne} ValidString

Category {eq | ne} ValidString

/fo {TABLE | LIST | CSV}

Format for command output.

/r EventRange

Range of events to display. This can be:

N

Lists N most recent events

-N

Lists N oldest events

N1-N2

Lists events N1 to
N2

/nh

No headers for columns in output (TABLE and
CSV format only).

/v

Verbose information should be displayed.

/l [APPLICATION] [SYSTEM] [SECURITY] ["DNS server"] [UserDefinedLog] [DirectoryLogName] [*]

One or more logs to query, with the default being wildcard (*). Reuse
the /l switch if you want to query more than one
log.

Examples

Display five most recent events from System log:

eventquery /l system /r 5
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
----------------------------------------------------------------------------
Listing the events in 'system' log of host 'ESRV210D'
----------------------------------------------------------------------------
Type          Event  Date Time               Source            ComputerName
------------- ------ ----------------------- ----------------- ------------
Warning       40961  3/26/2003 10:26:15 AM   LSASRV            ESRV210D
Warning       36     3/26/2003 10:25:55 AM   W32Time           ESRV210D
Warning       20     3/26/2003 9:51:41 AM    Print             ESRV210D
Error         1111   3/26/2003 9:51:17 AM    TermServDevices   ESRV210D
Error         1111   3/26/2003 9:51:17 AM    TermServDevices   ESRV210D

Search the System log for events with ID 36 and display the results
in list format:

eventquery /fi "ID eq 36" /l SYSTEM /fo LIST
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
----------------------------------------------------------------------------
Listing the events in 'system' log of host 'ESRV210D'
----------------------------------------------------------------------------
Type:         Warning
Event:        36
Date Time:    3/26/2003 10:25:55 AM
Source:       W32Time
ComputerName: ESRV210D
Type:         Warning
Event:        36
Date Time:    3/11/2003 11:42:32 AM
Source:       W32Time
ComputerName: ESRV210D

Repeat the command but display verbose output instead:

eventquery /fi "ID eq 36" /l SYSTEM /fo LIST /v
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
----------------------------------------------------------------------------
Listing the events in 'system' log of host 'ESRV210D'
----------------------------------------------------------------------------
Type:         Warning
Event:        36
Date Time:    3/26/2003 10:25:55 AM
Source:       W32Time
ComputerName: ESRV210D
Category:     None
User:         N/A
Description:  The time service has not synchronized the system time for 
86400 seconds  because none of the time service providers provided a usable 
time  stamp.
The time service is no longer synchronized and cannot provide the time to 
other clients or update the system clock. Monitor the  system events 
displayed in the Event  Viewer to make sure that a more  serious problem 
does not exist.
Type:         Warning
Event:        36
Date Time:    3/11/2003 11:42:32 AM
Source:       W32Time
ComputerName: ESRV210D
Category:     None
User:         N/A
Description:  The time service has not synchronized the system time for 
86400 seconds  because none of the time service providers provided a usable 
time  stamp.
The time service is no longer synchronized and cannot provide the time to 
other clients or update the system clock. Monitor the system events 
displayed in the Event  Viewer to make sure that a more serious problem does 
not exist.

Notes

This command is a

.vbs script and requires
CScript to run. You can make CScript your default script host by
typing the following at the command prompt:

cscript //h:cscript //s

See Also

Event Logs