WMIC event viewer script

  • Thread starter Thread starter rschneid76
  • Start date Start date
R

rschneid76

Hello all,

Am trying to get a script using WMIC commandline that outputs the
eventviewer of a certain server on a certain date. So far I have
this..

WMIC /node:"myserver" NTEVENT WHERE "EventType<3 AND LogFile !=
'Security' AN
D TimeGenerated = '20050330'" GET LogFile, SourceName, EventType,
Message, TimeGenerated /FORMAT:htable >c:\mysystem.htm

but as the TimeGenerated is in a different format my queries for that
date come up empty. Just wondering if anyone has any ideas how i can
format it so i can get a normal datetime output? I am assuming i have
to modify the select statement somehow with a function, but i havent
found anything about this in my searches of the web. Any help would be
greatly appreciated!! thanks

caraculo4
 
You need to use UTC format for the time format. Also, you need to use a
range for the TimeGenerated not equal sign. So the time part is like

TimeGenerated > '20050330000000.000000-240' and TimeGenerated <
'20050331000000.000000-240'

This would query for the events on 3/30/2005. Note that the -240 is the bias
for Eastern Time Zone. You need to adjust it for other time zones.
 
Windows 2003

You have not said if it is a windows 2003 server but if it is then tyry this

Command line
cscript //h:cscript /s

Then run a command called

Eventquery

This will provide you with a greater degree of flexability than WMIC as it has an easier command structure

eg

Eventquery /v /l system /fi "type eq error" /fi "source eq eventlog" /fi "datetime eq mm\dd\yy" /fo csv >> c:\errors.csv

This will display in a CSV file any ERRORS from EVENTLOG on a said date. This type of error is normally associated with unexpected system shutdowns. The beaty of this is that the previous info in the CSV file is appendd not overwriiyen so you could run this daily and keep al instances. You will need to fins a way to change the datetime parameter to do this automatically. Removing the /v cuts down the output to just the log not its detailed info.

Check eventquery /? for full options
 
Back
Top