This article describes how to use the Event Query Script tool (Eventquery.pl file) to display events from Event Viewer logs of Microsoft Windows 2000-based computers.
An event is any significant occurrence in the system, or in a program, that requires that users be notified or requires that an entry be made to a log. The Event Log Service records events to the Application, Security, and System logs in Event Viewer. Also, events are written to the Directory Service and File Replication Service logs on domain controllers, and the DNS Server log on Domain Name System (DNS) servers.
By using Event Viewer, you can obtain information about your hardware, software, and system components, and you can monitor security events on a local or remote computer. Event logs can help you identify and diagnose the source of current system problems and help you predict potential system problems. back to the top
System Requirements for Eventquery.pl
The Event Query Script tool is available in the Microsoft Windows 2000 Resource Kit Supplement 1. This script tool runs on a source computer and acts on a target computer (which can be the same computer as the source computer). Before you can use this tool to query the Event logs of the local or a remote computer, the following requirements must be met: back to the top
back to the top
- The computer is running either Windows 2000 Professional or Windows 2000 Server.
- ActiveState ActivePerl Build 521 is installed. This program is available in the Windows 2000 Resource Kit.
The computer must also be correctly configured to run the Perl scripts that are included in the Windows 2000 Resource Kit Supplement 1. The Resource Kit WMI provider module, Wmi.pm, must be in the Perl Installation Folder\Site\Lib\W2rk folder. The Resource Kit Setup program typically creates the W2rk folder and copies the Wmi.pm file to this folder.
If Setup does not automatically create the W2rk folder, you can manually create it and configure the environment in which to run Eventquery.p. For more information about how to do this, see the Troubleshooting section later in this article.
- You must be logged in as a member of the Administrators group to view Security log events.
back to the top
- The computer is running either Windows 2000 Professional or Windows 2000 Server
Overview of Eventquery.pl
Eventquery.pl uses the following syntax:
eventquery.pl EventLog [ EventLog...] | * [ -s Computer [ -u Domain\User -p Password]] [-range n|-n | Begin-End][-format table|list | csv] [-v][-filter "FieldOperatorValue" [-filter "FieldOperatorValue"...]]
The parameters that you can use with Eventquery.pl are as follows:
- EventLog [ EventLog...]| *: Use this parameter to specify the event logs that you want to search. If you want to search two or more event logs, separate each log with a space. If you want to search all event logs, use the wildcard character (*). If the event log name contains a space, enclose the name with quotation marks (").
- -s Computer: Use this parameter to specify the name or IP address of a remote computer. If you omit this parameter, the local computer is specified.
NOTE: Both the -p and -u parameters are available only if you use the -s parameter.
- -u Domain\User: Use this parameter to specify the user account with which to run Eventquery.pl. If you omit this parameter, Eventquery.pl uses the permissions of the currently logged-on user. If you use this parameter, you must also use the -p parameter to provide the user's password.
- -p Password: Use this parameter to specify the password of the user account that is specified by the -u parameter. The -p parameter is required if you use the -u parameter.
- -range n|-n |Begin-End: Use this parameter to specify the number of events that appear from each event log. If you omit this parameter, Eventquery.pl displays all events.
- n: Use this variable to specify the most recent n events in each log, which will appear in descending order, where n is a whole number greater than 0 (zero).
- -n: Use this variable to specify the last (oldest) n events in each log, which will appear in ascending order, where -n is a whole number greater than 0 (zero).
- Begin-End: Use this variable to define a range of events in each log, where Begin and End are whole numbers greater than 0 (zero).
- -format table|list| csv: Use this parameter to specify the output format. If you omit this parameter, Eventquery.pl uses the table format.
- -v: Use this parameter to add the event Data and Description sections to the display.
- -filter "FieldOperatorValue" [-filter "FieldOperatorValue"...]: Use this parameter to specify the criteria for events that are included in the display. If you omit this parameter, all events appear. Use a separate instance of -filter "FieldOperatorValue" for each criteria that you want to specify, and separate each parameter with a space.
The following table lists the operators and values that are available for each field that is used with the -filter parameter. The table also provides an example of each "FieldOperatorValue":
back to the top
|Type||= !||Error | Information | Warning (System and Application logs) | SuccessAudit or FailureAudit (Security Log)||"Type=Error"|
|DateTime||All logical operators||Date in mm/dd/[yy]yy format or Date:Time in mm/dd/[yy]yy:hh:[mm:[ss[am|pm]]] format||"datetime>02/08/2002:11:59:59PM"|
|Source||= !||Name of the component that logged the event.||"source=Service Control Manager"|
|Category||= !||A valid event classification||"category=Policy Change"|
|ID||All logical operators.||An event identifier||"ID!88"|
|Computer||= !||A valid computer name.||"computer=server2"|
back to the top
- To display all events in the Application log of the local computer in the default table format, type the following line at the command prompt, and then press ENTER:
- To display details of all events in the System and DNS Server logs of a computer named Server8 in list format, type the following line at the command prompt, and then press ENTER:
eventquery.pl system "dns server" -s server8 -format list -v
- To run Eventquery.pl by using the Administrators account to display the events in the Security log of a computer named Server5 in comma-delimited format and redirect the output to a file named Srv5_Sec.csv on drive E, type the following line at the command prompt, and then press ENTER:
eventquery.pl security -s server5 -u mydomain\administrator -p mypassword -format csv > e:\srv5_sec.csv
- To display a detailed record of events in all event logs of the local computer that were recorded between 8:00 A.M and 8:20 A.M. on February 8, 2002, in list format, type the following line at the command prompt, and then press ENTER:
eventquery.pl * -format list -v -filter "datetime>02/08/2002:8:00am" -filter "datetime<02/08/2002:08:20am"
- To search the System log for instances of Windows File Protection Event ID 64004 and then display the events in default table format, type the following line at the command prompt, and then press ENTER:
eventquery.pl system -filter "source=windows file protection" -filter "id=64004" -v
- To display the five most recent events from the Application log on a computer named Server8 in the default table format and redirect the output to the App_new.txt file, type the following line at the command prompt, and then press ENTER:
eventquery.pl application -s server8 -range 5 > app_new.txt
- To display all error events (except Event ID 100) that are recorded in the Application log by a program named MyApp in comma-delimited format and redirect the output to the C:\Myapp\Errors.csv file, type the following line at the command prompt, and then press ENTER:
eventquery.pl application -filter "type=error" -filter "source=myapp" -filter "id!100" -format csv > c:\myapp\errors.csv
When you try to run Eventquery.pl, you receive the following error message:
ERROR: Wmi.pm is required to run the script.
Copy Wmi.pm from the Resource Kit directory to /Perl/site/lib/W2RK.
This behavior can occur if the computer is not correctly configured to run the Perl scripts that are included in the Windows 2000 Resource Kit Supplement 1. To use Eventquery.pl, the W2rk folder must exist in the Perl Installation Folder
\Site\Lib folder, and it must contain the Wmi.pmi file.
To resolve this behavior, manually configure the environment in which to run Perl scripts:
- Create a folder named W2rk in the Perl Installation Folder\Site\Lib folder.
NOTE: The default Perl Installation Folder is drive:\Perl where drive is the drive on which Windows is installed.
- Copy the Wmi.pmi file from the folder in which the Windows 2000 Resource Kit is installed (typically, \Program Files\Resource Kit) to the W2rk folder that you created in step 1.
When you run Eventquery.pl, you may receive one or more messages similar to the following in the Command Prompt window:
INFO: No 'EventLogName' log entries satisfy filter criteria.
This behavior may occur if Eventquery.pl did not find any event log entries that meet the filtering criteria that you specified.back to the top
For additional information about how to view and manage logs in Event Viewer, click the following article numbers to view the articles in the Microsoft Knowledge Base:
Diagnose system problems with Event Viewer in Microsoft Windows 2000
How to move Event Viewer log files to another location in Windows 2000 and in Windows Server 2003
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
How to use the Event Logging utility (Logevent.exe) to create and log custom events in Event Viewer in Windows 2000
For more information about the Windows 2000 Resource Kit, visit the following Microsoft Web site:back to the top