snipz

cheat sheet

wevtutil

Query, export, clear, and manage Windows Event Log channels from the command line — the primary CLI for event log automation, log archiving, and scripted log analysis on Windows.

#wevtutil#windows#cli#scripting#sysadmin#event-log#security#referenceupdated 05-26-2026

wevtutil — Windows Event Log Manager

What it is

wevtutil (Windows Events Utility) is the built-in command-line tool for working with Windows Event Log channels. It can enumerate channels and publishers, query events with XPath or structured XML filters, export logs to .evtx files, clear channels, and install or uninstall event manifest files. It replaces older tools like eventquery.vbs and is the scripting equivalent of Event Viewer (eventvwr.msc). The PowerShell equivalent is Get-WinEvent / Clear-EventLog / wevtutil (often called directly from PowerShell as well). Most write operations require Administrator privileges.

Availability

wevtutil ships as C:\Windows\System32\wevtutil.exe on Windows Vista and later.

cmd
wevtutil /?

Output:

vbnet
Windows Events Command Line Utility.

Enables you to retrieve information about event logs and publishers, install
and uninstall event manifests, run queries, and export, archive, and clear logs.

Usage:

You can use either the short (for example, ep /uni) or long (for example,
enum-publishers /unicode) version of the command and option names.

wevtutil COMMAND [ARGUMENT [ARGUMENT] ...] [/OPTION:VALUE [/OPTION:VALUE] ...]

Commands:

el | enum-logs          List log names.
gl | get-log            Get log configuration information.
sl | set-log            Modify configuration of a log.
ep | enum-publishers    List event publishers.
gp | get-publisher      Get publisher configuration information.
im | install-manifest   Install event publishers and logs from manifest.
um | uninstall-manifest Uninstall event publishers and logs from manifest.
qe | query-events       Query events from a log or log file.
gli | get-log-info      Get log status information.
epl | export-log        Export a log.
al | archive-log        Archive an exported log.
cl | clear-log          Clear a log.

Syntax

cmd
wevtutil <command> [argument] [/option:value ...]

Output: (varies by command)

Essential commands

CommandShortMeaning
enum-logselList all event log channel names
get-logglShow configuration of a log channel
get-log-infogliShow size, record count, and timestamps for a log
query-eventsqeQuery events from a channel or .evtx file
export-logeplExport a channel to an .evtx file
clear-logclClear all events from a channel
set-logslChange log configuration (max size, retention)

Listing event log channels

wevtutil el lists all registered event log channel names — there are usually hundreds. Pipe to findstr to filter.

cmd
wevtutil el | findstr /I "System\|Application\|Security"

Output:

sql
Application
HardwareEvents
Security
System

Getting log information

wevtutil gli shows the current record count, file size, oldest and newest record times for a channel — useful for checking log growth or confirming that events are being written.

cmd
wevtutil gli System

Output:

yaml
creationTime: 2026-01-01T00:00:00.000Z
lastAccessTime: 2026-04-28T12:34:56.789Z
lastWriteTime: 2026-04-28T12:34:45.123Z
fileSize: 20971520
attributes: 32
numberOfLogRecords: 15823
oldestRecordNumber: 1

Querying events

wevtutil qe retrieves events matching an XPath filter expression. The /q: option takes an XPath 1.0 query; /c: limits the number of events returned; /rd:true reads from newest to oldest; /f:text renders human-readable text output.

cmd
wevtutil qe System /q:"*[System[(Level=1 or Level=2) and TimeCreated[timediff(@SystemTime) <= 86400000]]]" /c:5 /rd:true /f:text

Output:

yaml
Event[0]:
  Log Name: System
  Source: Service Control Manager
  Date: 2026-04-28T11:22:33.456Z
  Event ID: 7036
  Task: None
  Level: Information
  Opcode: Info
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: MYHOST
  Description:
  The Print Spooler service entered the stopped state.

Filtering by Event ID

XPath queries can target specific Event IDs. Combine conditions with and/or.

cmd
wevtutil qe Security "/q:*[System[(EventID=4624)]]" /c:3 /rd:true /f:text

Output:

yaml
Event[0]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2026-04-28T09:15:00.000Z
  Event ID: 4624
  Level: Information
  Description:
  An account was successfully logged on.
  ...

Exporting a log to a file

wevtutil epl copies a channel's events to an .evtx file for archiving, transport, or offline analysis in Event Viewer. Requires Administrator for Security and System channels.

cmd
wevtutil epl System C:\Logs\System_%COMPUTERNAME%.evtx

Output:

csharp
(none — exits 0 on success)

Query the exported file:

cmd
wevtutil qe C:\Logs\System_MYHOST.evtx /lf:true /c:5 /rd:true /f:text

Output:

css
Event[0]:
  Log Name: System
  ...

Clearing a log

wevtutil cl removes all events from a channel. Optionally save the current events to an .evtx archive first. This is irreversible — deleted events cannot be recovered.

cmd
rem Archive then clear
wevtutil epl Application C:\Logs\Application_before_clear.evtx
wevtutil cl Application

Output:

csharp
(none — exits 0 on success)
(none — exits 0 on success)

Changing log configuration

wevtutil sl modifies channel properties — most commonly the maximum file size (in bytes) and what happens when the log fills (/rt:false = overwrite oldest, which is the default for most channels).

cmd
rem Set Application log to 100 MB max, overwrite when full
wevtutil sl Application /ms:104857600

Output:

csharp
(none — exits 0 on success)

Common pitfalls

  1. Security and System channels require elevation — querying these channels as a standard user returns Access is denied; right-click cmd.exe → Run as administrator.
  2. XPath syntax is strict — malformed XPath produces The parameter is incorrect; test queries in Event Viewer's Custom Views → Filter Current Log → XML tab first, then copy the <Select> body into wevtutil /q:.
  3. /f:text needed for human-readable output — default format is XML; always add /f:text for scripting or human review.
  4. /lf:true required to query .evtx files — when querying an exported file, add /lf:true (log file mode); omitting it causes a channel-not-found error.
  5. cl is permanentwevtutil cl has no undo; always export first with epl if the events might be needed for forensics or compliance.

Real-world recipes

Find all error events in the last 24 hours across System log

cmd
wevtutil qe System /q:"*[System[Level=2 and TimeCreated[timediff(@SystemTime) <= 86400000]]]" /rd:true /f:text /c:20

Output:

yaml
Event[0]:
  Log Name: System
  Event ID: 7034
  Level: Error
  Description: The XYZ service terminated unexpectedly.

Export and clear all classic logs in one batch

cmd
@echo off
set LOGDIR=C:\LogArchive\%DATE:~-4,4%%DATE:~-7,2%%DATE:~-10,2%
mkdir %LOGDIR%
for %%L in (Application System) do (
    wevtutil epl %%L "%LOGDIR%\%%L.evtx"
    wevtutil cl %%L
    echo Archived and cleared: %%L
)

Output:

yaml
Archived and cleared: Application
Archived and cleared: System

Count failed logon events (4625) in the last hour

cmd
wevtutil qe Security "/q:*[System[(EventID=4625) and TimeCreated[timediff(@SystemTime) <= 3600000]]]" /rd:true /f:text | find /c "Event ID"

Output:

code
7

Channel taxonomy

Windows ships hundreds of channels but they all fall into four categories. Understanding the taxonomy makes it easier to pick the right channel for a query and to predict permissions.

Channel typeExamplesDefault stateNotes
Classic (Windows Logs)System, Application, Security, Setup, ForwardedEventsEnabledThe five legacy channels visible at the top of Event Viewer; large, append-only
AdminMicrosoft-Windows-PowerShell/Admin, Microsoft-Windows-Kernel-EventTracing/AdminEnabledPermanent record of issues that need attention; readable by users in Event Log Readers
OperationalMicrosoft-Windows-PowerShell/Operational, Microsoft-Windows-TaskScheduler/OperationalEnabled (most)Routine operational events; safe to query for diagnostics
Analytic / DebugMicrosoft-Windows-Kernel-Process/AnalyticDisabledHigh-volume traces; must be enabled with wevtutil sl /e:true and viewed via Event Viewer → View → Show Analytic and Debug Logs
cmd
rem List all enabled channels
wevtutil el | findstr /V "Analytic\|Debug" > C:\Logs\enabled-channels.txt

Output: (one channel name per line written to file)

cmd
rem Find every Microsoft-Windows-PowerShell channel
wevtutil el | findstr /I "PowerShell"

Output:

code
Microsoft-Windows-PowerShell/Admin
Microsoft-Windows-PowerShell/Operational
PowerShellCore/Operational
Windows PowerShell

XPath query reference

XPath is the filter language for wevtutil qe. The supported subset is XPath 1.0 with two custom functions — timediff() for time-based queries and band() for bitmask matching. Every query operates on the Event root, with three children: System (always present, with Provider, EventID, Level, TimeCreated, Computer, etc.), EventData (named data fields), and UserData (less common).

System-element queries

System holds the well-known event metadata. These are the most common filter targets.

cmd
rem Single Event ID
wevtutil qe System /q:"*[System[EventID=7036]]" /c:5 /rd:true /f:text

Output:

yaml
Event[0]:
  Log Name: System
  Event ID: 7036
  Description: The Print Spooler service entered the running state.
cmd
rem Range of Event IDs (use or)
wevtutil qe System /q:"*[System[(EventID>=1000 and EventID<=1100)]]" /c:3 /f:text

Output:

yaml
Event[0]:
  Event ID: 1014
  Source: DNS Client Events
  ...
cmd
rem Filter by Level — 1=Critical, 2=Error, 3=Warning, 4=Information, 5=Verbose
wevtutil qe System /q:"*[System[(Level=1 or Level=2)]]" /c:5 /f:text

Output:

yaml
Event[0]:
  Level: Error
  Event ID: 7034
  Description: The XYZ service terminated unexpectedly.
cmd
rem Filter by Provider name
wevtutil qe System /q:"*[System[Provider[@Name='Microsoft-Windows-Kernel-Power']]]" /c:5 /f:text

Output:

yaml
Event[0]:
  Source: Microsoft-Windows-Kernel-Power
  Event ID: 41
  Description: The system has rebooted without cleanly shutting down first.

Time-based queries with timediff()

timediff(@SystemTime) returns the number of milliseconds between the event time and the moment the query was evaluated. Always compare with <= for "last N ms" filters.

cmd
rem Last 15 minutes (900,000 ms)
wevtutil qe System /q:"*[System[TimeCreated[timediff(@SystemTime) <= 900000]]]" /c:5 /f:text

Output:

text
Event[0]:
  Log Name: System
  Source: Service Control Manager
  Date: 2026-05-25T09:10:14.812
  Event ID: 7036
  Description: The Windows Update service entered the running state.
cmd
rem Last 24 hours (86,400,000 ms)
wevtutil qe Application /q:"*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]" /c:10 /f:text

Output:

text
Event[0]:
  Log Name: Application
  Source: MsiInstaller
  Date: 2026-05-24T22:14:08.402
  Event ID: 1033
  Description: Windows Installer installed the product. Product Name: 7-Zip.
cmd
rem Absolute time window (UTC, ISO 8601)
wevtutil qe System /q:"*[System[TimeCreated[@SystemTime>='2026-05-24T00:00:00.000Z' and @SystemTime<='2026-05-24T23:59:59.999Z']]]" /f:text

Output:

text
Event[0]:
  Log Name: System
  Source: Microsoft-Windows-Kernel-General
  Date: 2026-05-24T07:30:01.118
  Event ID: 12
  Description: The operating system started at system time 2026-05-24T07:30:01.000000000Z.

EventData-element queries

EventData holds per-event payload fields. Each Data child has a Name attribute identifying the field — use EventData[Data[@Name='Field']='Value'] to match.

cmd
rem 4624 logon by a specific account
wevtutil qe Security "/q:*[System[(EventID=4624)] and EventData[Data[@Name='TargetUserName']='alicedev']]" /c:5 /f:text

Output:

yaml
Event[0]:
  Event ID: 4624
  Description:
  An account was successfully logged on.
  Account Name: alicedev
cmd
rem 4625 failed logons from a specific source IP
wevtutil qe Security "/q:*[System[EventID=4625] and EventData[Data[@Name='IpAddress']='192.0.2.50']]" /c:5 /f:text

Output:

text
Event[0]:
  Event ID: 4625
  Description:
  An account failed to log on.
  Account Name: alicedev
  Source Network Address: 192.0.2.50
  Failure Reason: Unknown user name or bad password.

Bitmask filters with band()

band(value, mask) returns the bitwise AND — useful for filtering keyword bitmasks like Security audit categories.

cmd
rem Security audit failures only (Keywords contains 0x10000000000000)
wevtutil qe Security /q:"*[System[band(Keywords,4503599627370496)]]" /c:5 /f:text

Output:

text
Event[0]:
  Event ID: 4625
  Description: An account failed to log on.
  Keywords: 0x8010000000000000

set-log: configuring channel behavior

set-log (alias sl) changes channel-level settings — most often max size, retention behavior, enabled state, and log file path. Each option is passed as /<name>:<value>.

OptionMeaningTypical value
/e:true|falseEnable or disable the channeltrue for Analytic/Debug
/q:true|falseSet quota (allow /ms to apply)true
/ms:<bytes>Maximum log file size in bytes104857600 (100 MB)
/rt:true|falseRetain entries (no overwrite) when fullfalse (default — circular)
/ab:true|falseAutoBackup when log fillstrue for forensic logs
/lfn:<path>Log file name (full path including .evtx)D:\Logs\Custom.evtx
/ca:<SDDL>Channel access SDDL stringrestrict to admins
/l:<level>Logging level4 (Information)
cmd
rem 250 MB log, archive on full
wevtutil sl Application /ms:262144000 /ab:true /rt:false

Output: (none — exits 0 on success)

cmd
rem Move a log to a faster disk
wevtutil sl Microsoft-Windows-Sysmon/Operational /lfn:D:\Logs\Sysmon.evtx

Output: (none — exits 0 on success)

cmd
rem Enable an Analytic channel that's off by default
wevtutil sl Microsoft-Windows-Kernel-Process/Analytic /e:true /q:true /ms:33554432

Output: (none — exits 0 on success)

cmd
rem Inspect current settings
wevtutil gl System

Output:

yaml
name: System
enabled: true
type: Admin
owningPublisher:
isolation: System
channelAccess: O:BAG:SYD:(A;;0x2;;;S-1-15-2-1) ...
logging:
  logFileName: %SystemRoot%\System32\Winevt\Logs\System.evtx
  retention: false
  autoBackup: false
  maxSize: 20971520
publishing:
  fileMax: 1

Publishers and manifests

A publisher is an event source — typically a binary that ships with an instrumentation manifest (.man). enum-publishers lists every registered publisher; get-publisher shows its channels, levels, keywords, and message strings. install-manifest / uninstall-manifest add or remove a publisher (used by application installers).

cmd
rem List all publishers (filter to find a vendor)
wevtutil ep | findstr /I "sysmon\|defender"

Output:

code
Microsoft-Windows-Sysmon
Microsoft-Windows-Windows Defender
cmd
rem Inspect a publisher's channels and events
wevtutil gp Microsoft-Windows-Sysmon

Output:

yaml
name: Microsoft-Windows-Sysmon
guid: 5770385f-c22a-43e0-bf4c-06f5698ffbd9
helpLink: ...
resourceFileName: C:\Windows\Sysmon64.exe
messageFileName: C:\Windows\Sysmon64.exe
channels:
  channel:
    name: Microsoft-Windows-Sysmon/Operational
    id: 16
    flags: 0
    enabled: true
events:
  event:
    value: 1
    version: 5
    opcode: win:Info
    template: ProcessCreate
    keywords: ...
cmd
rem Install / uninstall a manifest (typically run by setup scripts)
wevtutil im "C:\Program Files\MyApp\MyApp.man" /rf:"C:\Program Files\MyApp\MyApp.dll" /mf:"C:\Program Files\MyApp\MyApp.dll"
wevtutil um "C:\Program Files\MyApp\MyApp.man"

Output: (none — exits 0 on success)

archive-log: finalizing exported logs

archive-log (alias al) embeds the publisher metadata into a .evtx file so it can be opened on a machine that doesn't have the original publisher installed. Use this on exports going to forensic analysts or off-box investigators.

cmd
wevtutil epl Security C:\Logs\Security.evtx
wevtutil al C:\Logs\Security.evtx /l:en-US

Output: (none — exits 0 on success)

The archived file is roughly 10–30% larger than the raw export but is fully self-contained.

Remote queries with /r

Most wevtutil verbs accept /r:<remote-host>, /u:<user>, and /p:<password> to operate against another machine. The Remote Event Log Management firewall rule must be enabled on the target.

cmd
rem Enable the firewall rule on the target first (run on target)
netsh advfirewall firewall set rule group="remote event log management" new enable=yes

Output:

text
Updated 3 rule(s).
Ok.
cmd
rem Query a remote channel
wevtutil qe System /r:myhost /u:DOMAIN\alicedev /p:s3cr3t /c:5 /f:text

Output:

text
Event[0]:
  Log Name: System
  Source: Service Control Manager
  Date: 2026-05-25T08:00:14.402
  Event ID: 7045
  Description: A service was installed in the system.
cmd
rem Export a remote log to a local share
wevtutil epl Application \\fileserver\evtx\app_%COMPUTERNAME%.evtx /r:myhost /u:DOMAIN\alicedev /p:s3cr3t

Output: (none — exits 0 on success)

cmd
rem Inspect a remote channel's settings
wevtutil gl Security /r:myhost

Output: (settings block for the remote channel)

Get-WinEvent — PowerShell equivalent

PowerShell's Get-WinEvent is the modern, object-returning counterpart to wevtutil qe. It accepts XPath via -FilterXPath, structured hash-tables via -FilterHashtable, and full XML via -FilterXml. The objects it returns expose .Properties, .Message, .TimeCreated, and .RecordId directly — far easier to chain into Where-Object and Select-Object than parsing wevtutil /f:text.

Basic queries with -FilterHashtable

The hash-table form is the fastest filter — it pushes the predicate down into the Windows Event Log API.

powershell
# Last 50 errors from the System log
Get-WinEvent -FilterHashtable @{
    LogName  = 'System'
    Level    = 1, 2          # 1=Critical, 2=Error
} -MaxEvents 50 |
    Select-Object TimeCreated, Id, ProviderName, Message

Output:

sql
TimeCreated         Id  ProviderName              Message
-----------         --  ------------              -------
5/24/2026 10:14:22  7034 Service Control Manager  The XYZ service terminated unexpectedly.
5/24/2026 10:10:11  41   Microsoft-Windows-Kernel The system has rebooted without cleanly shutting down first.
powershell
# Failed logons in the last hour
Get-WinEvent -FilterHashtable @{
    LogName   = 'Security'
    Id        = 4625
    StartTime = (Get-Date).AddHours(-1)
}
powershell
# Events from a specific provider
Get-WinEvent -FilterHashtable @{
    LogName      = 'Application'
    ProviderName = 'Application Error'
}

XPath form

When the hash-table form can't express the filter (e.g. EventData field matching), fall back to XPath — same syntax as wevtutil.

powershell
Get-WinEvent -LogName Security -FilterXPath @'
    *[System[EventID=4624] and
      EventData[Data[@Name='TargetUserName']='alicedev']]
'@ -MaxEvents 10

Reading .evtx files

powershell
# Same as wevtutil qe /lf:true
Get-WinEvent -Path C:\Logs\System.evtx -MaxEvents 20

Get-EventLog (legacy)

Get-EventLog is the older cmdlet that pre-dates Get-WinEvent and only works against the classic channels (System, Application, Security, Setup). It's faster for simple queries but cannot read the modern Microsoft-Windows-* channels.

powershell
Get-EventLog -LogName System -EntryType Error -Newest 20
Get-EventLog -LogName Application -After (Get-Date).AddDays(-1) -Source "Application Error"

Clear-EventLog

powershell
# PowerShell equivalent of wevtutil cl
Clear-EventLog -LogName Application

Counting events

powershell
# How many critical/error events in the last 24h?
(Get-WinEvent -FilterHashtable @{
    LogName   = 'System'
    Level     = 1, 2
    StartTime = (Get-Date).AddDays(-1)
}).Count

Output: 12

Common pitfalls

  1. Security and System channels require elevation — querying these channels as a standard user returns Access is denied; right-click cmd.exe → Run as administrator.
  2. XPath syntax is strict — malformed XPath produces The parameter is incorrect; test queries in Event Viewer's Custom Views → Filter Current Log → XML tab first, then copy the <Select> body into wevtutil /q:.
  3. /f:text needed for human-readable output — default format is XML; always add /f:text for scripting or human review.
  4. /lf:true required to query .evtx files — when querying an exported file, add /lf:true (log file mode); omitting it causes a channel-not-found error.
  5. cl is permanentwevtutil cl has no undo; always export first with epl if the events might be needed for forensics or compliance.
  6. timediff() is millisecond-based, not seconds — a common bug is passing 3600 for "last hour" instead of 3600000. The query silently returns zero events.
  7. Channel access SDDL can lock you outwevtutil sl /ca: accepts an SDDL string; if you specify one without (A;;0xf;;;BA) granting Administrators full access you'll be unable to read the channel even when elevated. Reset with wevtutil sl <channel> /ca:"".
  8. Disabled Analytic / Debug channels return zero eventswevtutil qe Microsoft-Windows-Kernel-Process/Analytic silently returns nothing until you sl /e:true the channel first.
  9. epl does not include the publisher manifest — exported .evtx files opened on a machine without the publisher show "the description for Event ID cannot be found". Run wevtutil al after epl to embed the manifest.
  10. wevtutil and Get-WinEvent use different caches — after toggling a channel with sl /e:true, run wevtutil queries within the same console; PowerShell's Get-WinEvent may need a process restart to pick up the change.

Real-world recipes

Find all error events in the last 24 hours across System log

cmd
wevtutil qe System /q:"*[System[Level=2 and TimeCreated[timediff(@SystemTime) <= 86400000]]]" /rd:true /f:text /c:20

Output:

yaml
Event[0]:
  Log Name: System
  Event ID: 7034
  Level: Error
  Description: The XYZ service terminated unexpectedly.

Export and clear all classic logs in one batch

cmd
@echo off
set LOGDIR=C:\LogArchive\%DATE:~-4,4%%DATE:~-7,2%%DATE:~-10,2%
mkdir %LOGDIR%
for %%L in (Application System) do (
    wevtutil epl %%L "%LOGDIR%\%%L.evtx"
    wevtutil cl %%L
    echo Archived and cleared: %%L
)

Output:

yaml
Archived and cleared: Application
Archived and cleared: System

Count failed logon events (4625) in the last hour

cmd
wevtutil qe Security "/q:*[System[(EventID=4625) and TimeCreated[timediff(@SystemTime) <= 3600000]]]" /rd:true /f:text | find /c "Event ID"

Output:

code
7

Unexpected reboot detection (Kernel-Power 41)

Event ID 41 from Microsoft-Windows-Kernel-Power indicates an unclean shutdown — power loss, BSOD, or hard reset. Often the first thing to check after a server "reboots itself".

cmd
wevtutil qe System /q:"*[System[Provider[@Name='Microsoft-Windows-Kernel-Power'] and (EventID=41)]]" /c:5 /rd:true /f:text

Output:

yaml
Event[0]:
  Log Name: System
  Source: Microsoft-Windows-Kernel-Power
  Date: 2026-05-23T03:14:22.000Z
  Event ID: 41
  Description:
  The system has rebooted without cleanly shutting down first.

Export the Security log every Sunday at 02:00

A scheduled task that rolls the Security log weekly and keeps 52 weeks of archives.

cmd
@echo off
rem schtasks /create /sc weekly /d sun /st 02:00 /tn "Roll Security Log" /tr "C:\Scripts\roll-sec.cmd" /ru SYSTEM
set WEEK=%DATE:~-4,4%-W%DATE:~-7,2%
set OUT=D:\SecArchive\Security_%COMPUTERNAME%_%WEEK%.evtx
mkdir D:\SecArchive 2>NUL
wevtutil epl Security "%OUT%"
wevtutil al "%OUT%" /l:en-US
wevtutil cl Security
echo Rolled to %OUT%

Output:

text
Rolled to D:\SecArchive\Security_MYHOST_2026-W21.evtx

Detect bursts of 4625 (potential brute force)

When more than 10 failed logons happen in five minutes, page the SOC.

powershell
$threshold = 10
$window    = (Get-Date).AddMinutes(-5)
$failures = Get-WinEvent -FilterHashtable @{
    LogName   = 'Security'
    Id        = 4625
    StartTime = $window
} -ErrorAction SilentlyContinue

if ($failures.Count -gt $threshold) {
    $byIp = $failures |
        ForEach-Object { $_.Properties[19].Value } |
        Group-Object | Sort-Object Count -Descending
    Write-Warning "ALERT: $($failures.Count) failed logons in last 5min"
    $byIp | Format-Table Name, Count
}

Output:

lua
WARNING: ALERT: 24 failed logons in last 5min

Name           Count
----           -----
192.0.2.50     18
198.51.100.7   6

Compare event volume between two machines

A quick sanity check during a fleet roll-out — are the new build's logs landing where expected?

powershell
$hosts = 'srv01','srv02','srv03'
$hosts | ForEach-Object {
    [PSCustomObject]@{
        Host        = $_
        SystemCount = (Get-WinEvent -ComputerName $_ -LogName System -MaxEvents 10000).Count
        SecCount    = (Get-WinEvent -ComputerName $_ -LogName Security -MaxEvents 10000).Count
    }
} | Format-Table -AutoSize

Output:

yaml
Host  SystemCount SecCount
----  ----------- --------
srv01        2843     8421
srv02        2901     8501
srv03         142      203   <-- investigate

Forward events to a central collector via Windows Event Forwarding

WEF uses the Microsoft-Windows-Forwarding/* channels. Confirm a subscription is healthy by checking RuntimeStatus.

cmd
rem On the collector — list active subscriptions
wecutil es

Output:

text
SecurityForwarding
AppForwarding
cmd
rem Show subscription runtime status (events received, errors)
wecutil gr SecurityForwarding

Output:

yaml
Subscription: SecurityForwarding
RunTimeStatus:
    EventSources:
        myhost.contoso.local:
            RunTimeStatus: Active
            LastError: 0
            LastHeartbeatTime: 2026-05-24T10:13:00.000
cmd
rem On a source — verify it can reach the collector
wevtutil qe Microsoft-Windows-Forwarding/Operational /c:5 /rd:true /f:text

Output:

text
Event[0]:
  Log Name: Microsoft-Windows-Forwarding/Operational
  Source: Microsoft-Windows-EventCollector
  Date: 2026-05-25T08:00:14.402
  Event ID: 100
  Description: Subscription SecurityForwarding is created successfully.

Trim a runaway channel

When an Analytic channel fills the disk, disable, archive, clear, then re-enable.

cmd
wevtutil sl Microsoft-Windows-Kernel-Process/Analytic /e:false
wevtutil epl Microsoft-Windows-Kernel-Process/Analytic D:\Archive\kproc.evtx /lf:false
wevtutil cl Microsoft-Windows-Kernel-Process/Analytic
wevtutil sl Microsoft-Windows-Kernel-Process/Analytic /ms:33554432 /rt:false /e:true

Output: (none — each command exits 0 on success)

Build a CSV of all error events from yesterday for a daily report

powershell
$yesterday = (Get-Date).Date.AddDays(-1)
$today     = (Get-Date).Date

Get-WinEvent -FilterHashtable @{
    LogName   = 'System','Application'
    Level     = 1, 2
    StartTime = $yesterday
    EndTime   = $today
} -ErrorAction SilentlyContinue |
    Select-Object TimeCreated, LogName, Id, LevelDisplayName, ProviderName,
                  @{ N='Message'; E={ $_.Message -replace "`r?`n",' ' } } |
    Export-Csv -NoTypeInformation `
        -Path "C:\Reports\errors_$($yesterday.ToString('yyyy-MM-dd')).csv"

Output: (CSV file written; one row per error event)

  • wecutil — Windows Event Collector utility, manages forwarded-event subscriptions (called out above).
  • tracerpt — converts .etl traces (from logman create trace) to text or CSV.
  • Get-WinEvent — the modern PowerShell cmdlet covered above.
  • logman — adjacent tool for performance-counter and event-trace (ETL) collectors.
  • systeminfo — first stop when correlating events with build, hotfix, and boot-time data.
  • journalctl — the Linux analogue for structured log inspection.

Sources