<WRAP round info> This is a slapdash, slipshod, scattershot, quick-n-dirty, ephemeral article. </WRAP>
wevtutil el
wevtutil el | findstr /i <string value to match>
wevtutil gl System
name: System enabled: true type: Admin owningPublisher: isolation: System channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) logging: logFileName: %SystemRoot%\System32\Winevt\Logs\System.evtx retention: false autoBackup: false maxSize: 20971520 publishing: fileMax: 1
wevtutil ep
wevtutil gp <publisher name>
wevtutil <command> /r:<remote_computer_name> /u:<user_name> /p:<password>
wevtutil el /r:<remote_computer_name> /u:<user_name> /p:<password>
wevtutil qe Security /c:5 /rd:true /f:text
wevtutil qe Security /c:5 /rd:true /f:text /r:<remote_computer_name> /u:<user_name> /p:<password>
Example:
wevtutil qe Microsoft-Windows-Winlogon /c:5 /rd:true /f:text
/q:*[<logname>[(<xmlvalue=value>)]]"
wevtutil qe System /q:"*[System [(EventID=7001)]]" /c:1 /rd:true /format:text
wevtutil qe System /q:"*[System[Provider[@Name='Microsoft-Windows-Winlogon']]]" /c:1 /rd:true /f:text
wevtutil qe Security /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task=12544 and (EventID=4624)] and EventData[Data[@Name='LogonType']='2']]" /e:Events
Query the Microsoft/Windows/TaskScheduler sub-channel.
wevtutil qe Microsoft-Windows-TaskScheduler/Operational /c:5
Query for most recent failed login event 4625.
C:\Users\Administrator>wevtutil qe Security /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4625)] and EventData[Data[@Name='LogonType']='2']]" /e:Events /rd:true /c:1 /format:text
wevtutil qe Security /q:"*[System [(EventID=4625)]]" /c:1 /rd:true /format:text
wevtutil qe System /q:"*[System [(EventID=7001)]]" /c:1 /rd:true /format:text
Query for logs in the Security channel from the Microsoft-Windows-Winlogon provider.
wevtutil qe System /q:"*[System[Provider[@Name='Microsoft-Windows-Winlogon']]]" /c:1 /rd:true /f:text Event[0]: Log Name: System Source: Microsoft-Windows-Winlogon Date: 2014-06-18T09:50:45.442 Event ID: 7001 Task: N/A Level: Information Opcode: Info Keyword: N/A User: S-1-5-18 User Name: NT AUTHORITY\SYSTEM Computer: E5420_MGupton.alertlogic.net Description: User Logon Notification for Customer Experience Improvement Program
c:\temp>wevtutil qe System /q:"*[System [(EventID=1074)]]" /c:1 /rd:true /format:text Event[0]: Log Name: System Source: USER32 Date: 2015-02-04T07:23:47.000 Event ID: 1074 Task: N/A Level: Information Opcode: N/A Keyword: Classic User: S-1-5-21-3226147087-3892606130-1661063148-5381 User Name: ALERTLOGIC\mgupton Computer: E5420_MGupton.alertlogic.net Description: The process C:\Windows\system32\winlogon.exe (E5420_MGUPTON) has initiated the restart of computer E5420_MGUPTON on behalf of user ALERTLOGIC\mgupton for the following reason: No title for this reason could be found Reason Code: 0x500ff Shutdown Type: restart Comment:
c:\temp>wevtutil qe Security /q:"*[System [(EventID=4608)]]" /c:1 /rd:true /format:text Event[0]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2015-02-04T07:25:18.260 Event ID: 4608 Task: Security State Change Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: E5420_MGupton.alertlogic.net Description: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
The Microsoft command line tool named wevtutil can also be used to get and set the Windows Event Log retention policy. Set the log file size limit behaviour to overwrite oldest logs first using the following command. wevtutil sl <Log Name> /r:false /ab:false The following is an example of setting the Application log to overwrite the oldest logs first. /r:false specifies that when the log reaches the maximum size new logs should overwrite the oldest logs. /ab:false specifies that when the log reaches the maximum size the log should not be automatically backed up. wevtutil sl Application /r:false /ab:false Set the maximum log file size for the specified log stream. wevtutil sl <Log Name> /ms:<MaxSizeInBytes> The following example sets the maximum log file size for the Application stream to 60 MB. wevtutil sl Application /ms:62914560 The following command displays the current configuration for the specified log stream. wevtutil gl <Log Name> Example for getting the configuration for the System log stream. wevtutil gl System
Set log file max. size.
wevtutil sl <LogName> /ms:<MaxSizeInBytes>
A Provider is a source of events. A single provider can have multiple channels. A channel is a distinct data store for a collection of events.
c:\temp>wevtutil ep|findstr /i winlogon Microsoft-Windows-Winlogon
c:\temp\wevtutil gp Microsoft-Windows-Winlogon name: Microsoft-Windows-Winlogon guid: dbe9b383-7cf3-4331-91cc-a3cb16a3b538 helpLink: http://go.microsoft.com/fwlink/events.asp?CoName=Microsoft%20Corporation&ProdName=Microsoft%c2%ae%20Windows%c2%ae%20Operating%20System&ProdVer=6.1.7601.17514&FileName=winlogon.exe&FileVer=6.1.7601.17514 resourceFileName: C:\Windows\system32\winlogon.exe messageFileName: C:\Windows\system32\winlogon.exe message: 2415919105 channels: channel: name: Microsoft-Windows-Winlogon/Diagnostic id: 16 flags: 0 message: channel: name: Microsoft-Windows-Winlogon/Operational id: 17 flags: 0 message: channel: name: System id: 8 flags: 1 message: 2415919106 --- snip ---
c:\temp>wevtutil gl Microsoft-Windows-Winlogon/Operational name: Microsoft-Windows-Winlogon/Operational enabled: true type: Operational owningPublisher: Microsoft-Windows-Winlogon isolation: Application channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) logging: logFileName: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx retention: false autoBackup: false maxSize: 1052672 publishing: fileMax: 1
wevtutil epl application.evt application.evtx /lf:true
By querying the data as XML the EventRecordID is returned. This value represents the unique identifier of the event record. This ordinal value starts at 1 and is incremented by 1 for every new log entry.
wevtutil qe System /c:1 /rd:true /f:xml
For each event record Windows has a unique record number. The name of this value may vary depending on how the event data is accessed. For example, in the Windows Event Viewer GUI the value is identified as EventRecordID.
HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services Eventlog Application Security System CustomLog
auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:disable
In the gpedit.msc GUI:
Computer Confiuguration\Windows Settings\Security Settings\Audit Policy.
auditpol /get /category:"logon/logoff"
auditpol /get /subcategory:"logon"
auditpol /set /subcategory:”logon” /success:enable /failure:enable
The following is an example of using the write-eventlog Powershell cmdlet to write an log messages to the Application log stream.
Note the source must be a registered source.
write-eventlog -logname Application -source Winlogon -eventID 3001 -entrytype Information -message "Test log message." -category 1 -rawdata 10,20
Get-WinEvent -listlog *
Get-EventLog -list
reg query hklm\system\currentcontrolset\services\eventlog
Get audit policy categories and subcategories.
auditpol /list /subcategory:*
auditpol /get /subcategory:"Security Group Management"
The category Security Group Management controls whether user and group creation and modification activities are logged.
C:\Users\Administrator>auditpol /get /subcategory:"Security Group Management" System audit policy Category/Subcategory Setting Account Management Security Group Management Success and Failure
C:\Users\Administrator>auditpol /get /category:* System audit policy Category/Subcategory Setting System Security System Extension No Auditing System Integrity Success and Failure IPsec Driver No Auditing Other System Events Success and Failure Security State Change Success Logon/Logoff Logon Success and Failure Logoff Success Account Lockout Success IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon Success Other Logon/Logoff Events No Auditing Network Policy Server Success and Failure Object Access File System Success and Failure Registry Success and Failure Kernel Object Success and Failure SAM Success and Failure Certification Services Success and Failure Application Generated Success and Failure Handle Manipulation Success and Failure File Share Success and Failure Filtering Platform Packet Drop Success and Failure Filtering Platform Connection No Auditing Other Object Access Events Success and Failure Privilege Use Sensitive Privilege Use No Auditing Non Sensitive Privilege Use No Auditing Other Privilege Use Events No Auditing Detailed Tracking Process Termination No Auditing DPAPI Activity No Auditing RPC Events No Auditing Process Creation No Auditing Policy Change Audit Policy Change Success Authentication Policy Change Success Authorization Policy Change No Auditing MPSSVC Rule-Level Policy Change No Auditing Filtering Platform Policy Change No Auditing Other Policy Change Events No Auditing Account Management User Account Management Success and Failure Computer Account Management Success and Failure Security Group Management Success and Failure Distribution Group Management Success and Failure Application Group Management Success and Failure Other Account Management Events Success and Failure DS Access Directory Service Changes No Auditing Directory Service Replication No Auditing Detailed Directory Service Replication No Auditing Directory Service Access Success Account Logon Kerberos Service Ticket Operations Success Other Account Logon Events No Auditing Kerberos Authentication Service Success Credential Validation Success
The Index value is the uniqure record number for the event.
get-eventlog -log Security -newest 2
get-eventlog -log Security -newest 2 | where {$_.eventID -eq 4672} | format-list -property * Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4672;} -MaxEvents 2 | format-list -property * Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4672;} -MaxEvents 2 | format-list -property * | findstr -i recordid
powershell -executionpolicy bypass -command "Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4634; StartTime='12/1/14 15:28:35'; EndTime='12/1/14 15:28:35'} -MaxEvents 2 | format-list -property *"
Get metadata for the specified log channel.
strComputer = "." strChannel = "Security" Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate,(Security)}!\\" & _ strComputer & "\root\cimv2") Set colLogFiles = objWMIService.ExecQuery _ ("Select * from Win32_NTEventLogFile " _ & "Where LogFileName='" & strChannel & "'") Wscript.Echo "Metadata for log channel " & strChannel & "." For Each objLogFile in colLogFiles Wscript.Echo "Number of records: " & objLogFile.NumberOfRecords Wscript.Echo "Maximum log file size: " _ & objLogfile.MaxFileSize Wscript.Echo "Log filename: " & objLogFile.Drive & objLogFile.Path & objLogFile.LogfileName & "." & objLogFile.Extension Next
Get the number of records (events) in the specified log channel.
strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" _ & strComputer & "\root\cimv2") Set colLogFiles = objWMIService.ExecQuery _ ("Select * from Win32_NTEventLogFile " _ & "Where LogFileName='System'") For Each objLogFile in colLogFiles Wscript.Echo objLogFile.NumberOfRecords Next
List log providers and GUID values.
logman query providers