Windows Server 2008 (and Vista) offer improved options for event log management. For example, you now have the option to forward events to a central event collector server. You also now have powerful filtering capabilities. One of the features I like is the Wevtutil command-line tool that allows you to retrieve, query, archive, export and clear events. It’s the best option you have if you use Server Core and don’t want to open the firewall to allow remote access using the Event Viewer UI.
Recently, I had to schedule the export of events using Wevtutil using a time-based query. It took me a little while to get the query syntax right, so I thought I would share it with you here.
Let’s take a scenario in which you want to export all events from in the past 24 hours from the security log to a *.evtx file. (Note. The default format for exported event log files in Vista and Windows Server 2008 is *.evtx. For a good explanation of the differences between evt and evtx see this blog entry). You can leverage the Windows Event Viewer (eventvwr) to assist you with obtaining the query required to filter the log to show only events from the past 24 hours. To do this, click on your event log of choice (in this case Security). In the right-hand action pane click Filter Current Log. Within the Filter tab, select the drop-down list next to Logged and choose Last 24 hours. Now click on the XML tab. The query is embedded within the XML content, as follows:
*[System[TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]
The Wevtutil command to use the filter is shown below (may wrap).
wevtutil.exe epl Security C:\SecurityLog24hours.evtx “/q:*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]” /ow:true
Note that you have to replace the “&lt;” escape sequence meaning “less than” from the XML original with the “<” character, otherwise the query does not work and you will receive the error:
Failed to export log Security. The specified query is invalid.
The time-based filter I have used in this example only scratches the surface of the query capabilities you have with Wevtutil. The fact that you can leverage the capabilities within the Event Viewer UI to assist with building the queries takes a lot of the pain away. For more information about Wevtutil, including all the available command line options, see this page on Microsoft Technet.
Ages after the original post, of course, but thank you very much from a random google visitor, who happened to look for precisely this nugget of information! 🙂
you may change your script and try as in follows;
wevtutil.exe epl Security C:\SecurityLog24hours.evtx
/q:”*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]”
Thanks for the info. Tried the query option for about an hour with no success. And then finally I am here …. You saved me!.. Thanks a lot 🙂
Pingback: Read more
Thanks a lot. After little repurposing your line and adding to PowerShell function was able to collect event logs from dozens servers within a few minutes… Thanks
Thanks, great article! On the other hand there are cases, when Windows Server’s event log management is simply not enough, especially when working with more than one servers and multiple operating systems, like Windows, Linux, Android, etc. There is an open source log management tool which allows centralized log management – https://nxlog.co/products/nxlog-community-edition – at high.performance and can scale to thousands of servers called NXLog, really worth checking out! It’s free and available on the website.