WEVTUTIL (Vista and above)

Retrieve information about event logs and publishers. Archive logs in a self-contained format, Enumerate the available logs, Install and uninstall event manifests, run queries, Exports events (from an event log, from a log file, or using a structured query) to a specified file, Clear event logs.

Syntax
      wevtutil [{al | archive-log} Logpath [/l:Locale]]
        [{cl | clear-log} Logname [/bu:Backup]] [/r:Remote] [/u:Username] [/p:Password] [/a:<Auth>] [/uni:<Unicode>]
          [{el | enum-logs}] [{gl | get-log} Logname [/f:Format]]
             [{epl | export-log} Path Exportfile [/lf:Logfile] [/sq:Structquery] [/q:Query] [/ow:Overwrite]]
                [{ep | enum-publishers}]
                   [{gli | get-loginfo} Logname [/lf:Logfile]]
                      [{gp | get-publisher} Publishername [/ge:Metadata] [/gm:Message] [/f:Format]] [{im | install-manifest} Manifest]
                         [{qe | query-events} Path [/lf:Logfile] [/sq:Structquery] [/q:Query] [/bm:Bookmark]
                                  [/sbm:Savebm] [/rd:Direction] [/f:Format] [/l:Locale] [/c:Count] [/e:Element]]
                            [{sl | set-log} Logname [/e:Enabled] [/i:Isolation] [/lfn:Logpath] [/rt:Retention]
                                     [/ab:Auto] [/ms:Size] [/l:Level] [/k:Keywords] [/ca:Channel] [/c:Config]]
                               [{um | uninstall-manifest} Manifest]

Key
   /f:Format     The output format, either XML or text format. If <Format> is XML,
                 the output is displayed in XML format. If <Format> is Text, the output is
                 displayed without XML tags. The default is Text.
   /e:Enabled    Enable or disable a log. Enabled can be true or false. 
   /i:Isolation  Set the log isolation mode. Isolation can be system, application or custom.
                 The isolation mode of a log determines whether a log shares a session with other
                 logs in the same isolation class. If you specify system isolation, the target log
                 will share at least write permissions with the System log. If you specify application
                 isolation, the target log will share at least write permissions with the Application log.
                 If you specify custom isolation, you must also provide a security descriptor
                 by using the /ca option.
   /lfn:Logpath  Define the log file name. Logpath is a full path to the file where the Event
                 Log service stores events for this log. 
   /rt:Retention Set the log retention mode. Retention can be true or false.
                 The log retention mode determines the behavior of the Event Log service when a log
                 reaches its maximum size. If an event log reaches its maximum size and the log retention
                 mode is true, existing events are retained and incoming events are discarded.
                 If the log retention mode is false, incoming events overwrite the oldest events in the log. 
   /ab:Auto      The log auto-backup policy. Auto can be true or false. If this value is true,
                 the log will be backed up automatically when it reaches the maximum size.
                 If this value is true, the retention (specified with the /rt option)
                 must also be set to true.
   /ms:Size      Set the maximum size of the log in bytes.
                 The minimum log size is 1048576 bytes (1024KB) and log files are always multiples of 64KB,
                 so the value you enter will be rounded off accordingly. 
   /l:Level      Define the level filter of the log. Level can be any valid level value.
                 This option is only applicable to logs with a dedicated session.
                 You can remove a level filter by setting Level to 0. 
   /k:Keywords   Add a keyword filter to the log. Keywords can be any valid 64 bit keyword mask.
                 This option is only applicable to logs with a dedicated session. 
   /ca:Channel   Set the access permission for an event log. Channel is a security descriptor
                 that uses the Security Descriptor Definition Language (SDDL).
   /c:Config     The path to a configuration file.
                 This option will cause log properties to be read from the configuration file
                 defined in Config. If you use this option, you must not specify a <Logname> parameter.
                 The log name will be read from the configuration file. 
   /ge:Metadata  Get metadata information for events that can be raised by this publisher.
                 Metadata can be true or false. 
   /gm:Message   Display the actual message instead of the numeric message ID.
                 Message can be true or false. 
   /lf:Logfile   Read the events from a log or from a log file.
                 Logfile can be true or false. If true, the parameter to the command is the path
                 to a log file. 
   /sq:Structquery Specifies that events should be obtained with a structured query. 
                 Structquery can be true or false. If true, <Path> is the path to a file that
                 contains a structured query. 
   /q:Query      Define the XPath query to filter the events that are read or exported.
                 If this option is not specified, all events will be returned or exported.
                 This option is not available when /sq is true. 
   /bm:Bookmark  The path to a file that contains a bookmark from a previous query. 
   /sbm:Savebm   The path to a file that is used to save a bookmark of this query.
                 The file name extension should be .xml. 
   /rd:Direction The direction in which events are read. Direction can be true or false.
                 If true, the most recent events are returned first. 
   /l:Locale     Define a locale string that is used to print event text in a specific locale.
                 Only available when printing events in text format using the /f option. 
   /c:Count      Sets the maximum number of events to read. 
   /e:Element    Includes a root element when displaying events in XML. <Element> is the string
                 that you want within the root element. For example, /e:root would result
                 in XML that contains the root element pair <root></root>. 
   /ow:Overwrite Specifies that the export file should be overwritten. Overwrite can
                 be true or false. If true, and the export file specified in Exportfile already exists,
                 it will be overwritten without confirmation. 
   /bu:Backup    The path to a file where the cleared events will be stored.
                 Include the .evtx extension in the name of the backup file. 
   /r:Remote     Run the command on a remote computer. Remote is the name of the
                 remote computer. The im and um parameters do not support remote operation. 
   /u:Username   A different user to log on to a remote computer. <Username> is a
                 user name in the form domain\user or user. This option is only applicable when
                 the /r option is specified. 
   /p:Password   The password for the user. If the /u option is used and
                 this option is not specified or Password is "*", the user will be prompted to enter
                 a password. This option is only applicable when the /u option is specified. 
   /a:Auth       The authentication type for connecting to a remote computer.
                 Auth can be Default, Negotiate, Kerberos or NTLM. The default is Negotiate. 
   /uni:Unicode  Displays the output in Unicode. Unicode can be true or false.
                 If Unicode is true then the output is in Unicode.

The primary focus of WEVTUTIL is the configuration and setup of event logs, to retrieve event log data you may find the PowerShell cmdlet Get-WinEvent easier to use and more flexible.

Examples

Clear all the events from the Application log:
C:\> WEVTUtil.exe clear-log Application

Export events from the System log to C:\backup\ss64.evtx
C:\> WEVTUtil export-log System C:\backup\ss64.evtx

List the event publishers on the current computer.
C:\> WEVTUtil enum-publishers

Uninstall publishers and logs from the SS64.man manifest file:
C:\> WEVTUtil uninstall-manifest SS64.man

Find the last 20 startup events in the System log:

C:\> WEVTUtil query-events System /count:20 /rd:true /format:text /q:"Event[System[(EventID=12)]]" 

"The Statesman who yields to war fever must realize that once the signal is given, he is no longer the master of policy but the slave of unforeseeable and uncontrollable events" ~ Sir Winston Spencer Churchill

Related:

EVENTCREATE - Add a message to the Windows event log
SYSMON - Monitor and log system activity to the Windows event log
PowerShell: Get-WinEvent - Get event log data (Vista+)
Powershell: Get-Eventlog - Get event log data (XP/2003)
List of Windows Event IDs.
WMIC NTEVENTLOG - WMI access to the event log


© Copyright SS64.com 1999-2014
Some rights reserved