Query windows event log for the past two weeks

Question

I am trying to export a windows event log but limit the exported events not according to number but according to time the event was logged. I am trying to do that on windows 7 and newer. So far my efforts are focused on using wevtutil.

I am using wevtutil and my command line now is: wevtutil Application events.evtx The problem here is that I export the whole log and this can be quite big so I want to limit it just to the last 2 weeks.

I have found this post but first of all it does not seem to produce any output on my system(yes I have changed the dates and time) and second it seems to be dependent on the date format which I try to avoid.

Here is the modified command I ran:

wevtutil qe Application "/q:*[System[TimeCreated[@SystemTime>='2012-10-02T00:00:00' and @SystemTime<'2012-10-17T00:00:00']]]" /f:text

I had to replace the < and > with the actual symbols as I got a syntax error otherwise. This command produces empty output.

Answer 1

The problem is due to /q: being inside quotes. It should be outside, like:

wevtutil qe Application /q:"*[System[TimeCreated[@SystemTime>='2012-10-02T00:00:00' and @SystemTime<'2012-10-17T00:00:00']]]" /f:text

This works just fine for me.

Answer 2

For the events of the last 2 weeks, you could also use timediff, to avoid hard-coding dates.

Windows uses milliseconds, so it would be 1000 * 86400 (seconds, = 1 day) * 14 (days) = 1209600000.

For your query, that would look like

wevtutil qe Application /q:"*[System[TimeCreated[timediff(@SystemTime) <= 1209600000]]]" /f:text /c:1

I added /c:1 to get only 1 event in the example, since there are many events in the last 2 weeks.

You may also want to only list warning and errors. For that, you can use (Level=2 or Level=3). (For some reason, Level<4 doesn't seem to work for me on Win7)

wevtutil qe Application /q:"*[System[(Level=2 or Level=3) and TimeCreated[timediff(@SystemTime) <= 1209600000]]]" /f:text /c:1

Answer 3

I strongly recommend using LogParser for this kind of task:

logparser -i:evt file:query.sql

With query.sql containing something like this:

SELECT
  TimeGenerated,EventID,SourceName,Message
FROM Application
WHERE TimeGenerated > TO_TIMESTAMP(SUB(TO_INT(SYSTEM_TIMESTAMP()), 1209600))
ORDER BY TimeGenerated DESC

The somewhat unintuitive date calculation converts the system time (SYSTEM_TIMESTAMP()) to an integer (TO_INT()), subtracts 1209600 seconds (60 * 60 * 24 * 14 = 2 weeks) and converts the result back to a timestamp (TO_TIMESTAMP()), thus producing the date from 2 weeks ago.

You can parameterize the timespan by replacing the fixed number of seconds with MUL(86400, $days) and changing the commandline to this:

logparser -i:evt file:query.sql+days=14

You can also pass the query directly to logparser:

logparser -i:evt "SELECT TimeGenerate,EventID,SourceName,Message FROM ..."