PsLogList (SysInternals)

Event log records

Syntax
      psloglist [- ] [\\computer[,computer[,...] | @file
         [-u user [-p passwd]]] [-s [-t delim]]
            [-m #|-n #|-h #|-d #|-w]
               [-c][-x][-r][-a mm/dd/yy][-b mm/dd/yy]
                  [-f filter] [-i ID[,ID[,...] | -e ID[,ID[,...]]]
                     [-o event source[,event source][,..]]]
                        [-q event source[,event source][,..]]]
                           [-l event_log_file] <eventlog>

Options:

   computer   The computer on which the log resides. Default=local system 

   -p passwd  Specify a password for user (optional). Passed as clear text.
              If omitted, you will be prompted to enter a hidden password.

   -u user    Specify a user name for login to remote computer(optional).

   @file      Execute the command on each of the computers listed in the file.

   -a         Dump records timestamped after specified date.

   -b         Dump records timestamped before specified date.

   -c         Clear the event log after displaying.

   -d #       Only display records from previous # days.

   -e ID      Exclude events with the specified ID or IDs (up to 10).

   -f filter  Filter event types with filter string (e.g. "-f w" to filter warnings).

   -h #       Only display records from previous # hours.

   -i ID      Show only events with the specified ID or IDs (up to 10).

   -l event_log_file  Dump records from the specified event log file.

   -m #       Only display records from previous # minutes.

   -n #       Only display # number of most recent entries.

   -o event source
              Show only records from the specified event source (e.g. \"-o cdrom\").

   -q event source
              Omit records from the specified event source or sources (e.g. \"-q cdrom\").

   -r         Dump log from least recent to most recent.

   -s         Print Event Log records one-per-line, with comma delimited fields.
              This format is convenient for text searches, e.g. psloglist | findstr /i text
              and for importing the output into a spreadsheet.

   -t delim   The default delimeter is a comma, but can be overriden with the specified character.

   -w         Wait for new events, dumping them as they generate (local system only).

   -x         Dump extended data.

   eventlog   application, system or security, only the first few letters need be used.
              default=system log.

   -accepteula Suppress the display of the license dialog.

If your current security credentials would not permit access to the Event Log, specify a different username ( -u user ).

When launched for the first time, PsLogList will create the regkey
HKCU\Software\Sysinternals\PsLogList\EulaAccepted=0x01

Examples:

List everything in the application event log on \\workstation64 from the last 24 hours:

psloglist \\workstation64 -h 24 application

“Events, dear boy, events” ~ British Prime Minister Harold Macmillan (answer to 'what is the biggest problem in politics'?)

Related:

SysInternals Forum
WECUTIL - Windows Event Collector Utility.
Equivalent bash command (Linux): Logs are in plain ascii text.

 
Copyright © SS64.com 1999-2019
Some rights reserved