Share via

Returning just the errors using Wevtutil.exe

  • Article

I posted on how you can use Wevtutil to enumerate the event logs on server core or LH.  Someone left a comment asking how could they just return the errors from the System log instead of all the events.  Seems like a reasonable question and with a bit of research here is the solution.

 

This will query the SYSTEM log for all events with a level of 1 (critical) or a level of 2 (Error), dumps it out in text format with a count of 4. 

C:\Windows>wevtutil qe System "/q:*[System[(Level=1 or Level=2)]]" /f:text /RD:TRUE /C:4
Event[0]:
Log Name: System
Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date: 2007-11-04T17:11:22.000
Event ID: 1041
Task: N/A
Level: Error
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: Comp1
Description:
Autoreconnect failed to reconnect user to session because authentication failed. (Access is denied.)

Event[1]:
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 2007-11-04T14:04:33.147
Event ID: 1006
Task: N/A
Level: Error
Opcode: Start
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: Comp1
Description:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

Event[2]:
Log Name: System
Source: TermDD
Date: 2007-11-04T12:01:21.118
Event ID: 56
Task: N/A
Level: Error
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: Comp1
Description:
The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.

Event[3]:
Log Name: System
Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date: 2007-11-04T11:44:23.000
Event ID: 1041
Task: N/A
Level: Error
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: Comp1
Description:
Autoreconnect failed to reconnect user to session because authentication failed. (Access is denied.)

Update: Use the /r:<system> on the end to query a remote server.

More details on Event selection: https://msdn2.microsoft.com/en-us/library/aa385231.aspx

Technorati tags: Windows 2008, Longhorn. Vista, Server core

Comments

  • Anonymous
    January 01, 2003
    To answer Mark's query, you need to replace the "&lt;" escape sequence with the "<" less than character.  Then it should work. I've blogged out this here: http://www.open-a-socket.com/index.php/2008/11/28/exporting-event-logs-with-wevtutilexe-using-a-time-based-query/ Tony

  • Anonymous
    January 15, 2008
    The comment has been removed

  • Anonymous
    January 17, 2008
    Wish I knew, but I dont.  Sorry!

  • Anonymous
    April 01, 2008
    Hey Brad, thanks -- excellent post that answered the exact question I was trying to answer.  Thank you for taking the time to write this up!