• wevtutil is a bulit-in Windows command that can query the Windows event log.
• wevtutil
• http://ss64.com/nt/wevtutil.html

• channels
• publishers
• providers
• streams

wevtutil el

wevtutil el | findstr /i <string value to match>

wevtutil gl System

name: System
enabled: true
type: Admin
owningPublisher: 
isolation: System
channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
logging:
  logFileName: %SystemRoot%\System32\Winevt\Logs\System.evtx
  retention: false
  autoBackup: false
  maxSize: 20971520
publishing:
  fileMax: 1

wevtutil ep

wevtutil gp <publisher name>

Query for logs in the Security channel from the Microsoft-Windows-Winlogon provider.

wevtutil qe System /q:"*[System[Provider[@Name='Microsoft-Windows-Winlogon']]]" /c:1 /rd:true /f:text
Event[0]:
  Log Name: System
  Source: Microsoft-Windows-Winlogon
  Date: 2014-06-18T09:50:45.442
  Event ID: 7001
  Task: N/A
  Level: Information
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: E5420_MGupton.alertlogic.net
  Description:
User Logon Notification for Customer Experience Improvement Program

wevtutil <command> /r:<remote_computer_name> /u:<user_name> /p:<password> 

wevtutil el /r:<remote_computer_name> /u:<user_name> /p:<password> 

• One way to get the XPath queries used by the /q option of wevtutil is to use the Windows Event Viewer GUI. By creating a filter and viewing the XML representation of the filter.

Query the last 5 logs from the Security log channel.

Using /rd:true option reads the most recent messages first (descending order).

wevtutil qe Security /c:5 /rd:true /f:text /r:<remote_computer_name> /u:<user_name> /p:<password>

Example:

wevtutil qe Microsoft-Windows-Winlogon /c:5 /rd:true /f:text

/q:*[<logname>[(<xmlvalue=value>)]]"

wevtutil qe System /q:"*[System [(EventID=7001)]]" /c:1 /rd:true /format:text

wevtutil qe System /q:"*[System[Provider[@Name='Microsoft-Windows-Winlogon']]]" /c:1 /rd:true /f:text

wevtutil qe Security /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task=12544 and (EventID=4624)] and EventData[Data[@Name='LogonType']='2']]" /e:Events

Query the Microsoft/Windows/TaskScheduler sub-channel.

wevtutil qe Microsoft-Windows-TaskScheduler/Operational /c:5

Query for most recent failed login event 4625.

C:\Users\Administrator>wevtutil qe Security /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4625)] and EventData[Data[@Name='LogonType']='2']]" /e:Events /rd:true /c:1 /format:text

wevtutil qe Security /q:"*[System [(EventID=4625)]]" /c:1 /rd:true /format:text

wevtutil qe System /q:"*[System [(EventID=7001)]]" /c:1 /rd:true /format:text

c:\temp>wevtutil qe System /q:"*[System [(EventID=1074)]]" /c:1 /rd:true /format:text
Event[0]:
  Log Name: System
  Source: USER32
  Date: 2015-02-04T07:23:47.000
  Event ID: 1074
  Task: N/A
  Level: Information
  Opcode: N/A
  Keyword: Classic
  User: S-1-5-21-3226147087-3892606130-1661063148-5381
  User Name: ALERTLOGIC\mgupton
  Computer: E5420_MGupton.alertlogic.net
  Description:
The process C:\Windows\system32\winlogon.exe (E5420_MGUPTON) has initiated the restart of computer E5420_MGUPTON on behalf of user ALERTLOGIC\mgupton for the following reason: No title for this reason could be found
 Reason Code: 0x500ff
 Shutdown Type: restart
 Comment:

c:\temp>wevtutil qe Security /q:"*[System [(EventID=4608)]]" /c:1 /rd:true /format:text
Event[0]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2015-02-04T07:25:18.260
  Event ID: 4608
  Task: Security State Change
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: E5420_MGupton.alertlogic.net
  Description:
Windows is starting up.

This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.

The Microsoft command line tool named wevtutil can also be used to get and set the Windows Event Log retention policy.



Set the log file size limit behaviour to overwrite oldest logs first using the following command.

wevtutil sl <Log Name> /r:false /ab:false


The following is an example of setting the Application log to overwrite the oldest logs first.

/r:false specifies that when the log reaches the maximum size new logs should overwrite the oldest logs.

/ab:false specifies that when the log reaches the maximum size the log should not be automatically backed up.


wevtutil sl Application /r:false /ab:false


Set the maximum log file size for the specified log stream.

wevtutil sl <Log Name> /ms:<MaxSizeInBytes>


The following example sets the maximum log file size for the Application stream to 60 MB.

wevtutil sl Application /ms:62914560




The following command displays the current configuration for the specified log stream.

wevtutil gl <Log Name>



Example for getting the configuration for the System log stream.

wevtutil gl System

Set log file max. size.

wevtutil sl <LogName> /ms:<MaxSizeInBytes>

A Provider is a source of events. A single provider can have multiple channels. A channel is a distinct data store for a collection of events.

c:\temp>wevtutil ep|findstr /i winlogon
Microsoft-Windows-Winlogon

c:\temp\wevtutil gp Microsoft-Windows-Winlogon
name: Microsoft-Windows-Winlogon
guid: dbe9b383-7cf3-4331-91cc-a3cb16a3b538
helpLink: http://go.microsoft.com/fwlink/events.asp?CoName=Microsoft%20Corporation&ProdName=Microsoft%c2%ae%20Windows%c2%ae%20Operating%20System&ProdVer=6.1.7601.17514&FileName=winlogon.exe&FileVer=6.1.7601.17514
resourceFileName: C:\Windows\system32\winlogon.exe
messageFileName: C:\Windows\system32\winlogon.exe
message: 2415919105
channels:
  channel:
    name: Microsoft-Windows-Winlogon/Diagnostic
    id: 16
    flags: 0
    message: 
  channel:
    name: Microsoft-Windows-Winlogon/Operational
    id: 17
    flags: 0
    message: 
  channel:
    name: System
    id: 8
    flags: 1
    message: 2415919106
    
--- snip ---

c:\temp>wevtutil gl Microsoft-Windows-Winlogon/Operational
name: Microsoft-Windows-Winlogon/Operational
enabled: true
type: Operational
owningPublisher: Microsoft-Windows-Winlogon
isolation: Application
channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
logging:
  logFileName: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx
  retention: false
  autoBackup: false
  maxSize: 1052672
publishing:
  fileMax: 1

wevtutil epl application.evt application.evtx /lf:true

By querying the data as XML the EventRecordID is returned. This value represents the unique identifier of the event record. This ordinal value starts at 1 and is incremented by 1 for every new log entry.

wevtutil qe System /c:1 /rd:true /f:xml