Sysinternals/Pstools/psloglist
Jump to navigation
Jump to search
| You are here: | psloglist
|
Description
PsLogList is part of the PsTools toolkit developed by Sysinternals. PsLogList dumps event logs on a local or remote NT system.
Installation
PsLogList is part of the PsTools suite. To install it, please refer to this section.
Usage
Syntax
Usage: psloglist [\\computer[,computer2[,...] | @file] [-u username [-p password]]] [-s [-t delimiter]] [-m #|-n #|-d #|-h #|-w][-c][-x][-r][-a mm/dd/yy][-b mm/dd/yy] [-f filter] [-i ID,[ID,...]] | -e ID,[ID,...]] [-o event source[,event source[,...]]] [-q event source[,event source[,...]]] [[-g|-l] event log file] <event log>
Options
- @file
- Psloglist will execute the command on each of the computers listed in the file.
- -a
- Dump records timestamped after specified date.
- -b
- Dump records timestamped before specified date.
- -c
- Clear event log after displaying.
- -d
- Only display records from previous n days.
- -e
- Exclude events with the specified ID or IDs (up to 10).
- -f
- Filter event types, using starting letter (e.g. "-f we" to filter warnings and errors).
- -g
- Export an event log as an evt file.
- -h
- Only display records from previous n hours.
- -i
- Show only events with the specified ID or IDs (up to 10).
- -l
- Dump the contents of the specified saved event log file.
- -m
- Only display records from previous n minutes.
- -n
- Only display n most recent records.
- -o
- Show only records from the specified event source or sources (e.g. "-o cdrom"). Append '*' to specify substring match.
- -p
- Specifies password for user name.
- -q
- Omit records from the specified event source or sources (e.g. "-q cdrom"). Append '*' to specify substring match.
- -r
- Dump log from least recent to most recent.
- -s
- Records are listed on one line each with delimited fields, which is convenient for string searches.
- -t
- The default delimiter for the -s option is a comma, but can be overriden with the specified character. Use "\t" to specify tab.
- -u
- Specifies optional user name for login to remote computer.
- -w
- Wait for new events, dumping them as they generate (local system only.)
- -x
- Dump extended data.
- -z
- List event logs registered on specified system.
- eventlog
- Specifies event log to dump. Default is system. If the
- -l
- switch is present then the event log name specifies how to interpret the event log file.
Examples
List events logs
C:\pstools>psloglist PsLoglist v2.71 - local and remote event log viewer Copyright (C) 2000-2009 Mark Russinovich Sysinternals - www.sysinternals.com System log on \\WILLIAM-PC: [3299] Service Control Manager Type: INFORMATION Computer: william-PC Time: 11/07/2012 21:04:12 ID: 7036 Le service Planificateur de classes multimédias est entré dans l’état : en cours d’exécution. [3298] Service Control Manager Type: INFORMATION Computer: william-PC Time: 11/07/2012 20:48:47 ID: 7036 Le service Service de notification SPP est entré dans l’état : arrêté. [3297] Service Control Manager Type: INFORMATION Computer: william-PC Time: 11/07/2012 20:42:50 ID: 7036 Le service Expérience d’application est entré dans l’état : arrêté. [...TRUNCATED...]
It corresponds to the Microsoft events logs:
Search events
C:\pstools>psloglist -s | find "session" PsLoglist v2.71 - local and remote event log viewer Copyright (C) 2000-2009 Mark Russinovich Sysinternals - www.sysinternals.com 3422,System,Microsoft-Windows-Winlogon,INFORMATION,william-PC,12/07/2012 18:52:09,7001,SystÞme\AUTORITE NT,"Notification dÆouverture de session utilisateur pour le Programme dÆamÚlioration de lÆexpÚrience utilisateur " 3381,System,Service Control Manager,INFORMATION,william-PC,12/07/2012 18:51:45,7036,None,"Le service Gestionnaire de sessions du Gestionnaire de fenÛtrage est entrÚ dans lÆÚtat : en cours dÆexÚcution. " 3337,System,Microsoft-Windows-Winlogon,INFORMATION,william-PC,12/07/2012 18:01:47,7002,SystÞme\AUTORITE NT,"Notification de fermeture de session utilisateur pour le Programme dÆamÚlioration de lÆexpÚrience utilisateur "