DEVHIDE
Login Or Sign up

Wevtutil to output only new event logs

1.6k Views Asked by At

I run the command wevtutil qe Application /rd:false /f:text and I get an output as shown below. After sometime new event logs could have generated and I want to read only these new event logs i.e. Event[2], Event[3], Event[4] etc.

How can I use wevtutil tool to generate only these new event logs?

Event[0]:

  • Log Name: Application
  • Source: Microsoft-Windows-LoadPerf
  • Date: 2016-04-21T23:15:16.832
  • Event ID: 1000
  • Task: N/A
  • Level: Information
  • Opcode: Info
  • Keyword: N/A
  • User: S-1-5-18
  • User Name: NT AUTHORITY\SYSTEM
  • Computer: WIN-IONOGQTF9O5
  • Description: Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service.

Event[1]:

  • Log Name: Application
  • Source: Microsoft-Windows-LoadPerf
  • Date: Date: 2016-04-21T23:15:13.097
  • Event ID: 3011
  • Task: N/A
  • Level: Information
  • Opcode: Info
  • Keyword: N/A
  • User: S-1-5-18
  • User Name: NT AUTHORITY\SYSTEM
  • Computer: WIN-IONOGQTF9O5
  • Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.
powershell events event-log readeventlog wevtutil
Original Q&A
2

There are 2 best solutions below

0
On

/rd:false will read the oldest first so if your looking for newest it may not be the best query.

I'm not aware of a read/unread tag for eventlogs, you could create a custom object and add one but that may not be the best way to go around it.

You can also do the below 

$lastRanDate = "2018-11-30T17:20:55" ##import from a txt file
$date = Get-date -UFormat %Y-%m-%dT%H:%M:%S
##Get's current date and formats as following example 2018-12-01T17:17:45
$difference = New-TimeSpan -Start $lastRanDate -End $date
##Calculate difference between start time and end time
$difference = $difference.TotalMilliseconds
wevtutil epl Application "C:\Users\Pipastrilo\Desktop\appTest.evtx" /q:"*[System[TimeCreated[timediff(@SystemTime) <= $difference]]]"
## exportLog logName Path query(TimeCreated between current and HowManayMillisecondsAgo


$lastRanDate = $date
##export $lastRunDate for future searches
2
On

weventil is not PowerShell so I was mislead. However, you could just do this:

Get-EventLog -LogName Application -Newest -After ( Get-Date ).AddDays(-1)

Related Questions in POWERSHELL

Related Questions in EVENTS

Related Questions in EVENT-LOG

Related Questions in READEVENTLOG

Related Questions in WEVTUTIL

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.