The Windows event logs store a wealth of information about the health and security of your systems, applications, and user accounts. Harvesting event-log data can be an important part of managing your Windows network, but many of the available tools for managing network-wide event logs are commercial or require you to be an expert in Windows Management Interface (WMI) scripting or SQL query syntax. PsLoglist, a free tool from Sysinternals, is a light-weight, command-line event-log viewer that lets you easily gather events from logs across your network, filter logs according to event sources or IDs, and collect log data from specific dates or times. PsLoglist works on Windows NT 4.0 and later, including 64-bit Windows versions.
What Goes In
Figure 1 shows the command-line syntax for PsLoglist's many options. If you run PsLoglist without any command-line arguments, it prints the entire contents of the local system's System log. Figure 2, shows the information that PsLoglist displays. This information mirrors that which the Windows Event Viewer shows, including the event record number (shown in brackets), source, type, computer, timestamp, ID, and text.
When you want to dump the contents of a different event log (e.g., Security log, Application log, DNS log), enter the first few letters of the log name. For example, the following command dumps the contents of the File Replication Service log, a log that's present on domain controllers (DCs):
psloglist file
When you want to clear an event log after extracting its contents, include the -c switch in the command:
psloglist file -c
Viewing a local server's event logs can be useful, but PsLoglist's real power is its ability to access event logs on remote systems. To take advantage of this capability, include the name of a remote computer on the command line, prefixing the name with a double backslash (\\). If the account from which you're running PsLoglist doesn't have local Administrator access on the remote computer, you can include alternate credentials by using the -u switch. If you choose not to use the -p switch to include the account password, PsLoglist prompts you to enter the password. PsLoglist masks your input and uses standard Windows authentication, so alternate credentials aren't passed in clear text.
PsLoglist's @ switch makes it easy to aggregate event-log data from multiple computers. List the computer names (with or without the double-backslash prefix) on separate lines in a text file, then append the name of that file to the @ switch. The following command uses this technique to print the Application log from the systems listed in a file named computers.txt.
psloglist @computers.txt application
Event Viewer processes event text by extracting insertion strings from an event-log record, then embedding those strings into corresponding format strings stored in event source DLLs that the system and applications register. Most event-viewing applications, including Event Viewer, display only the insertion strings (not the full text) for records that reference event source DLLs that aren't present on the local system. This makes the text unreadable. One of the features that makes PsLoglist unique is that it processes such strings by using the source DLLs from remote systems. However, this feature requires that the remote system's default administrative share (Admin$) be enabled and accessible and that the event source DLLs be located under the \Windows directory. Be sure that this is the case on remote systems before using PsLoglist to gather data from those systems, or the tool won't be able to display full event text.
What Comes Out
PsLoglist offers several options that affect its output format. A common use of PsLoglist is to collect event-log data from several systems, then import that data into a SQL database or Microsoft Excel spreadsheet. PsLoglist's -s switch formats output data in comma-separated value (CSV) format, putting all the fields of an event-log record on the same output line. Excel natively understands CSV format, and the format is easy to import into databases. When you redirect CSV-formatted PsLoglist output to a file, you can also use PsLoglist to open that file in Excel by using the start command:
psloglist -s > events.csv start events.csv
Some event-log text contains commas, which is the default PsLoglist CSV field delimiter. Embedded commas will therefore confuse Excel and other CSV-import programs into thinking that such text is made up of multiple fields. If you're processing logs that contain commas in text, use the -t switch to specify a different delimiter character. The tab character is a popular CSV delimiter; the following command tells PsLoglist to use that character:
psloglist -s -t \t > events.csv
Some event-log records contain raw binary data, called extended data, that contains additional information regarding the event and that isn't easy to include in the event text. By default, PsLoglist doesn't dump extended data, but you can use the -x option to direct it to do so.
Previous
Register
