Eventquery.vbs
Lists the events and event properties from one or more event
logs.
Syntax
eventquery[.vbs][/s Computer [/u
Domain\User [/p Password]]][/fi
FilterName][/fo {TABLE | LIST |
CSV}][/r EventRange [/nh] [/v]
[/l [APPLICATION] [SYSTEM] [SECURITY]
["DNS server"] [UserDefinedLog] [DirectoryLogName]
[*] ]
Parameters
/sComputer
Specifies the name or IP address of a remote
computer (do not use backslashes). The default is
the local computer.
/uDomain\User
Runs the script with the account permissions of the
user specified by User or Domain\User.
The default is the permissions of the current logged
on user on the computer issuing the command.
/pPassword
Specifies the password of the user account that is
specified in the /u parameter.
/fiFilterName
Specifies the types of events to include in or
exclude from the query. The following are valid
filter names, operators, and
values.NameOperatorValueDatetimeeq, ne, ge, le,
gt, ltmm/dd/yy(yyyy), hh:mm:ssAM(/PM)Typeeq,
ne{ERROR | INFORMATION |
WARNING | SUCCESS | SUCCESSAUDIT |
FAILUREAUDIT}IDeq, ne, ge, le, gt, ltAny
valid positive integer.Usereq, neAny valid
string.Computereq, neAny valid string.Sourceeq,
neAny valid string.Categoryeq, neAny
valid string
/fo {TABLE | LIST | CSV}
Specifies the format to use for the output. Valid
values are table, list, and csv.
/rEventRange
Specifies the range of events to
list.ValueDescriptionNLists N most
recent events.-NLists N oldest events.N1-N2Lists
the events from N1 to N2.
/nh
Suppresses column headers in the output. Valid only
for table and csv formats.
/v
Specifies that verbose event information be
displayed in the output.
/l [APPLICATION] [SYSTEM] [SECURITY]
["DNS server"] [UserDefinedLog] [DirectoryLogName]
[*]
Specifies the log(s) to monitor. Valid values are
Application, System, Security,
"DNS server", a user-defined log, and Directory
log. "DNS server" can be used only if the DNS
service is running on the computer specified by the
/s parameter. To specify more than one log to
monitor, reuse the /l parameter. The wildcard
(*) can be used and is the default.
/?
Displays help at the command prompt.
Remarks
-
To run this script, you must be running CScript. If you have not already set the default Windows Script Host to CScript, type:
cscript //h:cscript //s //nologo
Examples
The following examples show how you can use the eventquery
command:
eventquery /l system
eventquery /l mylog
eventquery /l application /l system
eventquery /s srvmain /u maindom\hiropln /p p@ssW23 /v /l *
eventquery /r 10 /l application /nh
eventquery /r -10 /fo LIST /l security
eventquery /r 5-10 /l "DNS server"
eventquery /fi "Type eq Error" /l application
eventquery /fi "Datetime eq 06/25/00,03:15:00AM/06/25/00,03:15:00PM" /l application
eventquery /fi "Datetime gt 08/03/00,06:20:00PM" /fi "id gt 700" /fi "Type eq warning" /l system
Formatting legend
| Format | Meaning |
| Italic | Information that the user must supply |
| Bold | Elements that the user must type exactly as shown |
| Ellipsis (...) | Parameter that can be repeated several times in a command line |
| Between brackets ([]) | Optional items |
| Between braces ({}); choices separated by pipe (|). Example: {even|odd} | Set of choices from which the user must choose only one |
| Courier font | Code or program output |