This command let you to retrieve information about event logs and publishers, to install and uninstall event manifests, run queries, and to export, archive, and clear logs.
I will start with simple examples to see how is working.
First, you need to know the events can be seen also with windows tool named Event Viewer.
This tool can be found with Control Panel – search Event.
Take a look at the Windows Logs – Application. You can see that some logs are created to show how it works.
For today I will deal with this part. The syntax of this command:
wevtutil [{el | enum-logs}] [{gl | get-log} [/f:]]
[{sl | set-log} [/e:] [/i:] [/lfn:] [/rt:] [/ab:] [/ms:] [/l:] [/k:] [/ca:] [/c:]]
[{ep | enum-publishers}]
[{gp | get-publisher} [/ge:] [/gm:] [/f:]] [{im | install-manifest} ]
[{um | uninstall-manifest} ] [{qe | query-events} [/lf:] [/sq:] [/q:] [/bm:] [/sbm:] [/rd:] [/f:] [/l:] [/c:] [/e:]]
[{gli | get-loginfo} [/lf:]]
[{epl | export-log} [/lf:] [/sq:] [/q:] [/ow:]]
[{al | archive-log} [/l:]]
[{cl | clear-log} [/bu:]] [/r:] [/u:] [/p:] [/a:] [/uni:]
Let’s start:
– show us the four most recent events from the Application log in textual format:
wevtutil qe Application /c:4 /rd:true /f:text
– display the status of the Application log:
wevtutil gli Application
– save logs to C:\backups\today.evtx and clear all of the events from the Application log:
wevtutil cl Application /bu:C:\backups\today.evtx
– show the configuration information about the Application log on the local computer in XML format:
wevtutil gl Application /f:xml
I will come with many examples of this command. Thank you.