I run the command wevtutil qe Application /rd:false /f:text and I get an output as shown below. After sometime new event logs could have generated and I want to read only these new event logs i.e. Event[2], Event[3], Event[4] etc. How can I use wevtutil tool to generate only these new event logs? Event[0]: Log Name: Application Source: Microsoft-Windows-LoadPerf Date: 2016-04-21T23:15:16.832 Event ID: 1000 Task: N/A Level: Information Opcode: Info Keyword: N/A User: S-1-5-18 User Name: NT AUTHORITY\SYSTEM Computer: WIN-IONOGQTF9O5 Description: Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service. Event[1]: Log Name: Application Source: Microsoft-Windows-LoadPerf Date: Date: 2016-04-21T23:15:13.097 Event ID: 3011 Task: N/A Level: Information Opcode: Info Keyword: N/A User: S-1-5-18 User Name: NT AUTHORITY\SYSTEM Computer: WIN-IONOGQTF9O5 Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

powershelleventsevent-logreadeventlogwevtutil

Reputation: 131

Wevtutil to output only new event logs

I run the command wevtutil qe Application /rd:false /f:text and I get an output as shown below. After sometime new event logs could have generated and I want to read only these new event logs i.e. Event[2], Event[3], Event[4] etc.

How can I use wevtutil tool to generate only these new event logs?

Event[0]:

Log Name: Application
Source: Microsoft-Windows-LoadPerf
Date: 2016-04-21T23:15:16.832
Event ID: 1000
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: WIN-IONOGQTF9O5
Description: Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service.

Event[1]:

Log Name: Application
Source: Microsoft-Windows-LoadPerf
Date: Date: 2016-04-21T23:15:13.097
Event ID: 3011
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: WIN-IONOGQTF9O5
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Upvotes: 1

Answers (2)

LuckyPrick

Reputation: 1

/rd:false will read the oldest first so if your looking for newest it may not be the best query.

I'm not aware of a read/unread tag for eventlogs, you could create a custom object and add one but that may not be the best way to go around it.

You can also do the below

$lastRanDate = "2018-11-30T17:20:55" ##import from a txt file
$date = Get-date -UFormat %Y-%m-%dT%H:%M:%S
##Get's current date and formats as following example 2018-12-01T17:17:45
$difference = New-TimeSpan -Start $lastRanDate -End $date
##Calculate difference between start time and end time
$difference = $difference.TotalMilliseconds
wevtutil epl Application "C:\Users\Pipastrilo\Desktop\appTest.evtx" /q:"*[System[TimeCreated[timediff(@SystemTime) <= $difference]]]"
## exportLog logName Path query(TimeCreated between current and HowManayMillisecondsAgo


$lastRanDate = $date
##export $lastRunDate for future searches

Upvotes: 0

Shawn Esterman

Reputation: 2342

weventil is not PowerShell so I was mislead. However, you could just do this:

Get-EventLog -LogName Application -Newest -After ( Get-Date ).AddDays(-1)

Upvotes: 0

Wevtutil to output only new event logs

Answers (2)

Related Questions