3

Can someone explain me how to get access to arbitrary system logs in eventlog service files?

Now I'm poking around WMI(wmic.exe) and trying to execute following commands:

For system services like applications this approach works ok:

WMIC NTEVENT WHERE "LogFile='application'"

And the other log file with following syntax fails.

WMIC NTEVENT WHERE "LogFile='Microsoft-Windows-CAPI2/Operational'"

leads to:

No Instance(s) Available.

Can somebody share working command to do the job or any kind of tutorial about that stuff?

user3441253
  • 133
  • 1
  • 5

1 Answers1

2

I always use powershell for these kind of things; there are plenty of cmdlets that help extract this data in a useful way, and there are myriad scripts online that can get you whatever you might need.

Note: I've tested these on Windows 8 and Server 2012, and they work fine. You didn't specify an OS. You will also need to run Powershell as an administrator.

The simplest method is to look in Event Viewer (eventvwr.exe), and right-click -> Properties on the log you wish to parse. Find the Log Path, and you can query the log as simply as this:

get-winevent -path <full_path_to_logfile.evtx>

As an example, you can try this one, which should exist on your Windows machine:

get-winevent -path C:\Windows\System32\winevt\Logs\Security.evtx

Get-winevent is a built-in cmdlet, so you should have it available. You can use regular powershell logic to strip out only the parts you like, or pipe them to a file, or lots of other fun stuff. Hope this helps!

jski
  • 911
  • 1
  • 7
  • 20
  • Thank you for your reply. I'll try it as soon as I can. I apologize that because of lack of reputation can not upvote your answer. – user3441253 Jul 15 '14 at 16:55
  • No worries. I'm relatively new myself :) Definitely come back with improvements you add though, so others can be helped if it works for you! – jski Jul 15 '14 at 17:33
  • Thanks for your help, powershell approach works fine. Maybe you can advice me also how to redirect all output to the file(csv/txt/any) and specify multiple log files? – user3441253 Jul 16 '14 at 05:37
  • @user3441253 Shouldn't be too complicated. You'd likely want to use Out-File to write the results to a file, and then you can just use basic Powershell scripting to assign filenames based on a variable like date, or date and time, etc. A little Google-ing will go a long way, and you'll learn for the future as well! – jski Jul 22 '14 at 20:39