Querying the Event Logs

The Event Logs are typically a system administrator’s first line of inquiry when trying to troubleshoot problems. Since they are so important, it is also important to see how we can make use of them with WMI. The two major components that we need to be concerned with are the Event Logs themselves and the events contained within each Event Log. We will first focus on properties of Event Logs.

The Win32_NTEventLogFile class represents an Event Log. Table 26-4 contains several Win32_NTEventLogFile properties that can be used to query or modify properties of a Event Log.

Table 26-4. Useful Win32_NTEventLogFile properties




Size of the Event Log file in bytes.


Standard name used for describing the Event Log (e.g., Application).


Max size in bytes that the Event Log file can reach. This is a writeable property.


Fully qualified path to the Event Log file.


Total number of records in the Event Log.


Number of days after which events can be overwritten. This is a writeable property with 0 indicating to overwrite events as needed, 1-365 being the number of days to wait before overwriting, and 4294967295 indicating that events should never be overwritten.


Text description of the overwrite policy (as specified by the OverwriteOutDated property). Can be one of WhenNeeded, OutDated, or Never.


Array of registered sources that may write entries ...

Get Active Directory, Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.