Event filter for command line WEVTUTIL on Vista

  • Thread starter Thread starter Hong
  • Start date Start date
H

Hong

hi

Any update on the functionality of the command WEVTUTIL in Vista on

1. using a filter range for eventID such as "8194,8211" "8194-8211"
where syntax such as >=8194 and <=8211 is not valid

2. using a negative filter range such as "-8194"

I am trying the above on Vista SP1 and they all failed. The file
WEVTUTIL.EXE is 6.0.6001.18000

Thanks for any help


Hong
 
Playing around revealed the inconsistencies between XML syntax and this
command line's

1. for simple filtering, WEVTUTIL does not need double-quoting for /q switch

wevtutil qe system /rd:true /f:text /q:*[System[(Level=2)]]

but the following would fail with range

wevtutil qe system /rd:true /f:text /q:*[System[(Level=1 or Level=2)]]

and this one works

wevtutil qe system /rd:true /f:text /q:"*[System[(Level=1 or Level=2)]]"

Note PowerShell always needs double-quoting for /q switch to work

2. For Boolean operations

XML showed: *[System[((EventID >=8194 and EventID <=8211))]]

but the command line needs: wevtutil.exe qe application /rd:true /f:text
/q:"*[System[((EventID > 8194 and EventID < 8211))]]"


Hong
 
Back
Top