8.9. Searching an Event Log on a Server


You want to search for events in a specific event log.


Using a graphical user interface

  1. Open the Event Viewer (eventvwr.msc).

  2. In the left pane, right-click on the event log you want to search and select Properties.

  3. Click the Filter tab.

  4. Enter the search criteria and click OK.


Another alternative for searching the event logs on a single host is the Event Comb utility, which I cover in Recipe 8.10.

Using a command-line interface

You can use the eventquery.vbs command on Windows Server 2003 to remotely query the event log of a server. The following command displays the last 10 events with event ID 105 on the host fs01:

> eventquery.vbs /S fs01 /R 10 /L Application /FI "ID eq 105"

On Windows 2000, you can use a combination of the elogdmp and findstr commands to find specific events. The following command displays events in the Application log that have the string 105 somewhere in the event (it could be in the description, the event ID, etc.):

> elogdmp server01 Application | findstr 105

Obviously this may not find exactly what you want, but since the output of elogdmp is comma-delimited, you can play around with what you pass to findstr to improve your odds of returning exactly what you want. For example:

> elogdmp server01 Application | findstr ",105,"

Using VBScript

' This code searches for events matching the specified criteria.
intEventCode = <EventID>            ' Event ID to match; e.g., 105
strLog       = "<EventLogName> ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.