Manage Event Logs with WEVTUTIL

The time has finally arrived where Microsoft has spent the time and energy to provide us all with a useful Event Viewer. Windows Vista and Windows Server 2008 come with a revamped Event Viewer, as well as some additional tools that really make using the Event Viewer something that is easy to manage. In addition […]

The time has finally arrived where Microsoft has spent the time and energy to provide us all with a useful Event Viewer. Windows Vista and Windows Server 2008 come with a revamped Event Viewer, as well as some additional tools that really make using the Event Viewer something that is easy to manage. In addition to the new subscription option that Event Viewer now possesses, there is a new command line utility, WEVTUTIL, which allows you to control nearly every aspect of the Event Viewer logs.

The WEVTUTIL command comes with a tremendous amount of power and the parameters and switches are proof of that. Since the WEVTUTIL command can control nearly every aspect of the Event Viewer and logs, there must be a lot of parameters and switches to control these details.

The main structure of the syntax for WEVTUTIL is the following:

wevtutil [{el | enum-logs}] [{gl | get-log} <Logname> [/f:<Format>]]
[{sl | set-log} <Logname> [/e:<Enabled>] [/i:<Isolation>] [/lfn:<Logpath>] [/rt:<Retention>] [/ab:<Auto>] [/ms:<Size>] [/l:<Level>] [/k:<Keywords>] [/ca:<Channel>] [/c:<Config>]] 
[{ep | enum-publishers}] 
[{gp | get-publisher} <Publishername> [/ge:<Metadata>] [/gm:<Message>] [/f:<Format>]] [{im | install-manifest} <Manifest>] 
[{um | uninstall-manifest} <Manifest>] [{qe | query-events} <Path> [/lf:<Logfile>] [/sq:<Structquery>] [/q:<Query>] [/bm:<Bookmark>] [/sbm:<Savebm>] [/rd:<Direction>] [/f:<Format>] [/l:<Locale>] [/c:<Count>] [/e:<Element>]] 
[{gli | get-loginfo} <Logname> [/lf:<Logfile>]] 
[{epl | export-log} <Path> <Exportfile> [/lf:<Logfile>] [/sq:<Structquery>] [/q:<Query>] [/ow:<Overwrite>]] 
[{al | archive-log} <Logpath> [/l:<Locale>]] 
[{cl | clear-log} <Logname> [/bu:<Backup>]] [/r:<Remote>] [/u:<Username>] [/p:<Password>] [/a:<Auth>] [/uni:<Unicode>]

Full Article

Windows, Windows Vista, Windows Server 2008, Event Log, Event Log Viewer, WEVTUTIL, Troubleshooting, Tips, Tricks, Tips and Tricks