Querying the Event Logs

The Event Logs are typically a system administrator’s first line of inquiry when trying to troubleshoot problems. Since they are so important, it is also important to see how we can make use of them with WMI. The two major components that we need to be concerned with are the Event Logs themselves and the events contained within each Event Log. We will first focus on properties of Event Logs.

The Win32_NTEventLogFile class represents an Event Log. Table 26-4 contains several Win32_NTEventLogFile properties that can be used to query or modify properties of a Event Log.

Table 26-4. Useful Win32_NTEventLogFile properties

Property

Description

FileSize

Size of the Event Log file in bytes.

LogFileName

Standard name used for describing the Event Log (e.g., Application).

MaxFileSize

Max size in bytes that the Event Log file can reach. This is a writeable property.

Name

Fully qualified path to the Event Log file.

NumberOfRecords

Total number of records in the Event Log.

OverwriteOutDated

Number of days after which events can be overwritten. This is a writeable property with 0 indicating to overwrite events as needed, 1-365 being the number of days to wait before overwriting, and 4294967295 indicating that events should never be overwritten.

OverwritePolicy

Text description of the overwrite policy (as specified by the OverwriteOutDated property). Can be one of WhenNeeded, OutDated, or Never.

Sources

Array of registered sources that may write entries ...

Get Active Directory, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.