PsLogList (SysInternals)

Event log records

Syntax
      psloglist [- ] [\\computer[,computer[,...] | @file
         [-u user [-p passwd]]] [-s [-t delim]]
            [-m #|-n #|-h #|-d #|-w]
               [-c][-x][-r][-a mm/dd/yy][-b mm/dd/yy]
                  [-f filter] [-i ID[,ID[,...] | -e ID[,ID[,...]]]
                     [-o event source[,event source][,..]]]
                        [-q event source[,event source][,..]]]
                           [-l [event_log_file] <eventlog>

Options:

   computer   The computer on which the log resides. Default=local system 

   -p passwd  Specify a password for user (optional). Passed as clear text.
              If omitted, you will be prompted to enter a hidden password.

   -u user    Specify a user name for login to remote computer(optional).

   @file      Execute the command on each of the computers listed in the file.

   -a         Dump records timestamped after specified date.

   -b         Dump records timestamped before specified date.

   -c         Clear the event log after displaying.

   -d #       Only display records from previous # days.

   -e ID      Exclude events with the specified ID or IDs (up to 10).

   -f filter  Filter event types with filter string (e.g. "-f w" to filter warnings).

   -h #       Only display records from previous # hours.

   -i ID      Show only events with the specified ID or IDs (up to 10).

   -l [event_log_file] <eventlog>  Dump records from the specified event log/file.

   -m #       Only display records from previous # minutes.

   -n #       Only display # number of most recent entries.

   -o event source
              Show only records from the specified event source (e.g. \"-o cdrom\").

   -q event source
              Omit records from the specified event source or sources (e.g. \"-q cdrom\").

   -r         Dump log from least recent to most recent.

   -s         Print Event Log records one-per-line, with comma delimited fields.
              This format is convenient for text searches, e.g. psloglist | findstr /i text
              and for importing the output into a spreadsheet.

   -t delim   The default delimeter is a comma, but can be overriden with the specified character.

   -w         Wait for new events, dumping them as they generate (local system only).

   -x         Dump extended data.

   eventlog   application, system or security, only the first few letters need be used.
              default=system log.

   -accepteula Suppress the display of the license dialog.

If your current security credentials would not permit access to the Event Log, specify a different username ( -u user ).

When installing psLogList.exe just ensure it is placed somewhere in either the system PATH or in the current directory.

When launched for the first time, PsLogList will create the regkey
HKCU\Software\Sysinternals\PsLogList\EulaAccepted=0x01

Examples

List everything in the application event log on \\workstation64 from the last 24 hours:

psloglist \\workstation64 -h 24 application

“Events, dear boy, events” ~ British Prime Minister Harold Macmillan (answer to 'what is the biggest problem in politics'?)

Related commands

WECUTIL - Windows Event Collector Utility.
Equivalent bash command (Linux): Logs are in plain ascii text.


 
Copyright © 1999-2024 SS64.com
Some rights reserved