Author: MtheK
Subject: PSLogList
Posted: 07 August 2014 at 4:04am
I ended up using PSLOGLIST for a summary (1 line per record) (for example):
psloglist -i 12,13,109,1074,4608,9009 -d 3 -x -s -t "\t" >psloglist.txt 2>&1
---
and used WEVTUTIL for the details (for example):
wevtutil.exe qe System /rd:true /f:text /q:"*[System [(EventID=12 or EventID=13 or EventID=109 or EventID=1074 or EventID=4608 or EventID=9009) and (Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 259200000]]]" >wevtutil.txt
Event[0]:
Log Name: System
Source: Microsoft-Windows-Kernel-General
Date: 2014-08-06T14:50:11.671
Event ID: 12
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: QCD3-HP
Description:
The operating system started at system time ?2014?-?08?-?06T20:50:11.375199800Z.
---
For the app logs (for example):
dir /s /a /x /o-d *.evt (to see what files are updated) (for example):
08/06/2014 02:50 PM 1,052,672 Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
copy C:\Windows\System32\winevt\Logs\"Microsoft-Windows-Windows Firewall With Advanced Security%%4Firewall.evtx" eventA.evtx /Y >nul
if ERRORLEVEL 1 GOTO BADEVENT
psloglist -d 1 -x -s -t "\t" -l eventA.evtx >psloglistA-Firewall.txt 2>&1
wevtutil qe "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" /rd:true /f:text /q:"*[System [Provider[@Name='Microsoft-Windows-Windows Firewall With Advanced Security'] and (Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 172800000]]]" >wevtutilA-Firewall.txt 2>&1
:BADEVENT
---
For some reason, PSLOGLIST can't read an active log via the -l switch and gets rc=32 (sharing violation):
C:\windows\system32>psloglist -d 1 -x -s -t "\t" -l "winevt\logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx"
PsLoglist v2.71 - local and remote event log viewer
...
winevt\logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx:
Could not open winevt\logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx event log on QCD3-HP:
The process cannot access the file because it is being used by another process.
yet using the above COPY pair works fine? Why can COPY open it yet PSLOGLIST can't?
---
The log and provider names were gotton from WEVTUTIL's EL and EP commands, respectively. This appears necessary as I don't know how to "wildcard" them in either, if it even can be done.
Would be nice, since, in my case, I need 27 of these pairs in addition to the "System" step.
---
A .BAT does all these, thank goodness, thus requiring the double-percent in the COPY.
Subject: PSLogList
Posted: 07 August 2014 at 4:04am
I ended up using PSLOGLIST for a summary (1 line per record) (for example):
psloglist -i 12,13,109,1074,4608,9009 -d 3 -x -s -t "\t" >psloglist.txt 2>&1
---
and used WEVTUTIL for the details (for example):
wevtutil.exe qe System /rd:true /f:text /q:"*[System [(EventID=12 or EventID=13 or EventID=109 or EventID=1074 or EventID=4608 or EventID=9009) and (Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 259200000]]]" >wevtutil.txt
Event[0]:
Log Name: System
Source: Microsoft-Windows-Kernel-General
Date: 2014-08-06T14:50:11.671
Event ID: 12
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: QCD3-HP
Description:
The operating system started at system time ?2014?-?08?-?06T20:50:11.375199800Z.
---
For the app logs (for example):
dir /s /a /x /o-d *.evt (to see what files are updated) (for example):
08/06/2014 02:50 PM 1,052,672 Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
copy C:\Windows\System32\winevt\Logs\"Microsoft-Windows-Windows Firewall With Advanced Security%%4Firewall.evtx" eventA.evtx /Y >nul
if ERRORLEVEL 1 GOTO BADEVENT
psloglist -d 1 -x -s -t "\t" -l eventA.evtx >psloglistA-Firewall.txt 2>&1
wevtutil qe "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" /rd:true /f:text /q:"*[System [Provider[@Name='Microsoft-Windows-Windows Firewall With Advanced Security'] and (Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and TimeCreated[timediff(@SystemTime) <= 172800000]]]" >wevtutilA-Firewall.txt 2>&1
:BADEVENT
---
For some reason, PSLOGLIST can't read an active log via the -l switch and gets rc=32 (sharing violation):
C:\windows\system32>psloglist -d 1 -x -s -t "\t" -l "winevt\logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx"
PsLoglist v2.71 - local and remote event log viewer
...
winevt\logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx:
Could not open winevt\logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx event log on QCD3-HP:
The process cannot access the file because it is being used by another process.
yet using the above COPY pair works fine? Why can COPY open it yet PSLOGLIST can't?
---
The log and provider names were gotton from WEVTUTIL's EL and EP commands, respectively. This appears necessary as I don't know how to "wildcard" them in either, if it even can be done.
Would be nice, since, in my case, I need 27 of these pairs in addition to the "System" step.
---
A .BAT does all these, thank goodness, thus requiring the double-percent in the COPY.