Eventquery.vbs

Updated: January 21, 2005

Eventquery.vbs

Lists the events and event properties from one or more event logs.

Syntax

eventquery[.vbs][/s Computer [/u Domain\User [/p Password]]][/fi FilterName][/fo {TABLE | LIST | CSV}][/r EventRange [/nh] [/v] [/l [APPLICATION] [SYSTEM] [SECURITY] ["DNS server"] [UserDefinedLog] [DirectoryLogName] [*] ]

Parameters
/sComputer
Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer.
/uDomain\User
Runs the script with the account permissions of the user specified by User or Domain\User. The default is the permissions of the current logged on user on the computer issuing the command.
/pPassword
Specifies the password of the user account that is specified in the /u parameter.
/fiFilterName
Specifies the types of events to include in or exclude from the query. The following are valid filter names, operators, and values.NameOperatorValueDatetimeeq, ne, ge, le, gt, ltmm/dd/yy(yyyy), hh:mm:ssAM(/PM)Typeeq, ne{ERROR | INFORMATION | WARNING | SUCCESS | SUCCESSAUDIT | FAILUREAUDIT}IDeq, ne, ge, le, gt, ltAny valid positive integer.Usereq, neAny valid string.Computereq, neAny valid string.Sourceeq, neAny valid string.Categoryeq, neAny valid string
/fo {TABLE | LIST | CSV}
Specifies the format to use for the output. Valid values are table, list, and csv.
/rEventRange
Specifies the range of events to list.ValueDescriptionNLists N most recent events.-NLists N oldest events.N1-N2Lists the events from N1 to N2.
/nh
Suppresses column headers in the output. Valid only for table and csv formats.
/v
Specifies that verbose event information be displayed in the output.
/l [APPLICATION] [SYSTEM] [SECURITY] ["DNS server"] [UserDefinedLog] [DirectoryLogName] [*]
Specifies the log(s) to monitor. Valid values are Application, System, Security, "DNS server", a user-defined log, and Directory log. "DNS server" can be used only if the DNS service is running on the computer specified by the /s parameter. To specify more than one log to monitor, reuse the /l parameter. The wildcard (*) can be used and is the default.
/?
Displays help at the command prompt.
Remarks

To run this script, you must be running CScript. If you have not already set the default Windows Script Host to CScript, type:

cscript //h:cscript //s //nologo

Examples

The following examples show how you can use the eventquery command:

eventquery /l system

eventquery /l mylog

eventquery /l application /l system

eventquery /s srvmain /u maindom\hiropln /p p@ssW23 /v /l *

eventquery /r 10 /l application /nh

eventquery /r -10 /fo LIST /l security

eventquery /r 5-10 /l "DNS server"

eventquery /fi "Type eq Error" /l application

eventquery /fi "Datetime eq 06/25/00,03:15:00AM/06/25/00,03:15:00PM" /l application

eventquery /fi "Datetime gt 08/03/00,06:20:00PM" /fi "id gt 700" /fi "Type eq warning" /l system

Formatting legend

FormatMeaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

**
Related Links
Command-line reference A-Z
Command shell overview
**