I am using wevtutil to get the last 10 logs in windows servers, with this simple command.
wevtutil qe Application /rd:false /c:10 /f:text
So can I parse events like: all the error events in last 10 logs.
this will list the lasts 10 errors:
wevtutil qe application "/q:*[System[(Level=1 or Level=2 )]]" /c:10 /f:text /rd:true
be carefull the Xpath query is case sensitive
Related
I am trying to use the cmo.deleteMessages to clean up messages that are older than 30 days.
connect(...)
domainRuntime()
print 'Cleaning Message from QUEUE:myqueue'
try:
cd('ServerRuntimes/myserver/JMSRuntime/myserver.jms/JMSServers/myserver/Destinations/JMSMODULE!JMSmyserver#myqueue')
cmo.deleteMessages("JMSTimestamp > 5200000000")
except:
pass
However Weblogic doesnt recognize the attribute "JMSTimestamp > 5200000000". It deletes all the messages.
When I put the entry "JMSTimestamp > 5200000000" in the Message Selector [in wl console], it shows up all messages instead of messages that are only 30 days old [5200000000 milliseconds is 30 days].
The problem is the format "JMSTimestamp > 5200000000" is either not recognized by Weblogic or the python script. Any idea what I am missing.
I was able to create the timestamp in milliseconds using a modified date command tool in Linux.
$ date +%s%N | cut -b1-13
1617374452236
JMS time stamp parameter accepted this format and was able to perform the task.
I want to export only event id 4624 from Security
Code below exports all event from security (i want only 4624);
WEVTUtil query-events Security /rd:true /format:text > %~dp0Logins.txt /q:"<EventID>4624</EventID>"
When all 4624 events exported i want filter only events with:
<Data Name='LogonProcessName'>User32 </Data>
This will be RDP logs with IP, because logs in "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" dont have IP (only username) :( I heard this is because RDP connection is TLS secured...
I want to export only Event ID 4624 from Security
WEVTUtil query-events Security /rd:true /format:text > "%~dp0Logins.txt"<EventID>4624</EventID>"
You are using the wrong format for the /q option.
Use the following command line:
wevtutil qe Security "/q:*[System [(EventID=4648)]]" /rd:true /f:text > "%~dp0Logins.txt"
How do I restrict the filter to Event ID 4624 containing User32?
When all 4624 events exported I want filter only events with:
<Data Name='LogonProcessName'>User32 </Data>
Use the following command line:
wevtutil qe Security "/q:*[System [(EventID=4648)]]" /rd:true | findstr User32 >nul && wevtutil qe Security "/q:*[System [(EventID=4648)]]" /f:text /rd:true > "%~dp0Logins.txt"
Code based on the following source link.
Source How to use wevtutil command to get event details if it only comply with specific text or word
Further Reading
An A-Z Index of the Windows CMD command line - An excellent reference for all things Windows cmd line related.
findstr - Search for strings in files.
wevutil - Windows Events Command Line Utility.
On the Parse.com cloud-code console, I can see logs, but they only go back maybe 100-200 lines. Is there a way to see or download older logs?
I've searched their website & googled, and don't see anything.
Using the parse command-line tool, you can retrieve an arbitrary number of log lines:
Usage:
parse logs [flags]
Aliases:
logs, log
Flags:
-f, --follow=false: Emulates tail -f and streams new messages from the server
-l, --level="INFO": The log level to restrict to. Can be 'INFO' or 'ERROR'.
-n, --num=10: The number of the messages to display
Not sure if there is a limit, but I've been able to fetch 5000 lines of log with this command:
parse logs prod -n 5000
To add on to Pascal Bourque's answer, you may also wish to filter the logs by a given range of dates. To achieve this, I used the following:
parse logs -n 5000 | sed -n '/2016-01-10/, /2016-01-15/p' > filteredLog.txt
This will get up to 5000 logs, use the sed command to keep all of the logs which are between 2016-01-10 and 2016-01-15, and store the results in filteredLog.txt.
I am trying to export a windows event log but limit the exported events not according to number but according to time the event was logged. I am trying to do that on windows 7 and newer. So far my efforts are focused on using wevtutil.
I am using wevtutil and my command line now is: wevtutil Application events.evtx The problem here is that I export the whole log and this can be quite big so I want to limit it just to the last 2 weeks.
I have found this post but first of all it does not seem to produce any output on my system(yes I have changed the dates and time) and second it seems to be dependent on the date format which I try to avoid.
Here is the modified command I ran:
wevtutil qe Application "/q:*[System[TimeCreated[#SystemTime>='2012-10-02T00:00:00' and #SystemTime<'2012-10-17T00:00:00']]]" /f:text
I had to replace the < and > with the actual symbols as I got a syntax error otherwise. This command produces empty output.
The problem is due to /q: being inside quotes. It should be outside, like:
wevtutil qe Application /q:"*[System[TimeCreated[#SystemTime>='2012-10-02T00:00:00' and #SystemTime<'2012-10-17T00:00:00']]]" /f:text
This works just fine for me.
For the events of the last 2 weeks, you could also use timediff, to avoid hard-coding dates.
Windows uses milliseconds, so it would be 1000 * 86400 (seconds, = 1 day) * 14 (days) = 1209600000.
For your query, that would look like
wevtutil qe Application /q:"*[System[TimeCreated[timediff(#SystemTime) <= 1209600000]]]" /f:text /c:1
I added /c:1 to get only 1 event in the example, since there are many events in the last 2 weeks.
You may also want to only list warning and errors. For that, you can use (Level=2 or Level=3). (For some reason, Level<4 doesn't seem to work for me on Win7)
wevtutil qe Application /q:"*[System[(Level=2 or Level=3) and TimeCreated[timediff(#SystemTime) <= 1209600000]]]" /f:text /c:1
I don't know how you feel about PowerShell, but it's available on all the systems you tagged.
From a powershell prompt, see Get-Help Get-EventLog -Examples for more info.
If you have to do this from a .cmd or .bat file, then you can call powershell.exe -File powershell_script_file_name
where powershell_script_file_name has the Get-EventLog command(s) you need in it.
This example gives all the Security Event Log failures, I use to audit systems:
Get-EventLog -LogName security -newest 1000 | where {$_.entryType -match "Failure"}
I strongly recommend using LogParser for this kind of task:
logparser -i:evt file:query.sql
With query.sql containing something like this:
SELECT
TimeGenerated,EventID,SourceName,Message
FROM Application
WHERE TimeGenerated > TO_TIMESTAMP(SUB(TO_INT(SYSTEM_TIMESTAMP()), 1209600))
ORDER BY TimeGenerated DESC
The somewhat unintuitive date calculation converts the system time (SYSTEM_TIMESTAMP()) to an integer (TO_INT()), subtracts 1209600 seconds (60 * 60 * 24 * 14 = 2 weeks) and converts the result back to a timestamp (TO_TIMESTAMP()), thus producing the date from 2 weeks ago.
You can parameterize the timespan by replacing the fixed number of seconds with MUL(86400, $days) and changing the commandline to this:
logparser -i:evt file:query.sql+days=14
You can also pass the query directly to logparser:
logparser -i:evt "SELECT TimeGenerate,EventID,SourceName,Message FROM ..."
Is there anyway to only output the description field in an event log entry?
Im current using:
wevtutil qe Application /q:*[System[(EventID=431)]] /f:text /rd:true /c:2 /gm:true > C :\query.txt
However this output everything. I just want to output the description which is under:
<EventData>
<Data> Description bllah blah</data>
</EventData>
You can use /f:text modifier and grep with ^|FIND "Description"
wevtutil qe Application /q:*[System[(EventID=431)]] /f:text /rd:true /c:2 /gm:true ^|FIND "Description" > C:\query.txt
Note the ^ before the pipe, it escapes the pipe in scripts.