Eventquery.vbs

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Eventquery.vbs

Lists the events and event properties from one or more event logs.

Syntax

eventquery[.vbs][/s Computer [/u Domain**\User [/p** Password]]][/fi FilterName][/fo {TABLE | LIST | CSV}][/r EventRange [/nh] [/v] [/l [APPLICATION] [SYSTEM] [SECURITY] ["DNS server"] [UserDefinedLog] [DirectoryLogName] [*] ]

Parameters
  • /s Computer
    Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer.
  • /u Domain \ User
    Runs the script with the account permissions of the user specified by User or Domain**\**User. The default is the permissions of the current logged on user on the computer issuing the command.
  • /p Password
    Specifies the password of the user account that is specified in the /u parameter.
  • /fi FilterName
    Specifies the types of events to include in or exclude from the query. The following are valid filter names, operators, and values.
<table>
<colgroup>
<col style="width: 33%" />
<col style="width: 33%" />
<col style="width: 33%" />
</colgroup>
<thead>
<tr class="header">
<th>Name</th>
<th>Operator</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>Datetime</strong></p></td>
<td><p><strong>eq, ne, ge, le, gt, lt</strong></p></td>
<td><p>mm/dd/yy(yyyy), hh:mm:ssAM(/PM)</p></td>
</tr>
<tr class="even">
<td><p><strong>Type</strong></p></td>
<td><p><strong>eq, ne</strong></p></td>
<td><p>{<strong>ERROR</strong> | <strong>INFORMATION</strong> | <strong>WARNING</strong> | <strong>SUCCESS</strong> | <strong>SUCCESSAUDIT</strong> | <strong>FAILUREAUDIT</strong>}</p></td>
</tr>
<tr class="odd">
<td><p><strong>ID</strong></p></td>
<td><p><strong>eq, ne, ge, le, gt, lt</strong></p></td>
<td><p>Any valid positive integer.</p></td>
</tr>
<tr class="even">
<td><p><strong>User</strong></p></td>
<td><p><strong>eq, ne</strong></p></td>
<td><p>Any valid string.</p></td>
</tr>
<tr class="odd">
<td><p><strong>Computer</strong></p></td>
<td><p><strong>eq, ne</strong></p></td>
<td><p>Any valid string.</p></td>
</tr>
<tr class="even">
<td><p><strong>Source</strong></p></td>
<td><p><strong>eq, ne</strong></p></td>
<td><p>Any valid string.</p></td>
</tr>
<tr class="odd">
<td><p><strong>Category</strong></p></td>
<td><p><strong>eq, ne</strong></p></td>
<td><p>Any valid string</p></td>
</tr>
</tbody>
</table>
  • /fo {TABLE | LIST | CSV}
    Specifies the format to use for the output. Valid values are table, list, and csv.
  • /r EventRange
    Specifies the range of events to list.
<table>
<colgroup>
<col style="width: 50%" />
<col style="width: 50%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><em>N</em></p></td>
<td><p>Lists <em>N</em> most recent events.</p></td>
</tr>
<tr class="even">
<td><p><em>-N</em></p></td>
<td><p>Lists <em>N</em> oldest events.</p></td>
</tr>
<tr class="odd">
<td><p><em>N1-N2</em></p></td>
<td><p>Lists the events from <em>N1</em> to <em>N2</em>.</p></td>
</tr>
</tbody>
</table>
  • /nh
    Suppresses column headers in the output. Valid only for table and csv formats.
  • /v
    Specifies that verbose event information be displayed in the output.
  • /l [APPLICATION] [SYSTEM] [SECURITY] ["DNS server"] [UserDefinedLog] [DirectoryLogName] [*]
    Specifies the log(s) to monitor. Valid values are Application, System, Security, "DNS server", a user-defined log, and Directory log. "DNS server" can be used only if the DNS service is running on the computer specified by the /s parameter. To specify more than one log to monitor, reuse the /l parameter. The wildcard (*) can be used and is the default.
  • /?
    Displays help at the command prompt.
Remarks
  • To run this script, you must be running CScript. If you have not already set the default Windows Script Host to CScript, type:

    cscript //h:cscript //s //nologo

Examples

The following examples show how you can use the eventquery command:

eventquery /l system

eventquery /l mylog

eventquery /l application /l system

eventquery /s srvmain /u maindom\hiropln /p p@ssW23 /v /l *

eventquery /r 10 /l application /nh

eventquery /r -10 /fo LIST /l security

eventquery /r 5-10 /l "DNS server"

eventquery /fi "Type eq Error" /l application

eventquery /fi "Datetime eq 06/25/00,03:15:00AM/06/25/00,03:15:00PM" /l application

eventquery /fi "Datetime gt 08/03/00,06:20:00PM" /fi "id gt 700" /fi "Type eq warning" /l system

Formatting legend

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also

Concepts

Command-line reference A-Z
Command shell overview