Microsoft KB Archive/318763

= How to use the Event Log Management Script tool (Eventlog.pl) to manage event logs in Windows 2000 =

Article ID: 318763

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q318763



IN THIS TASK
SUMMARY System Requirements for Eventlog.pl
 * Source Computer
 * Target Computer

Overview of Eventlog.pl
 * Change
 * Backup
 * Export
 * Clear
 * Query

Examples Troubleshooting REFERENCES



SUMMARY
This article describes how to use the Event Log Management Script tool (Eventlog.pl) to manage Event Viewer logs of Windows 2000-based computers.

An event is any significant occurrence in the computer or in a program that requires either users to be notified or an entry added to a log. The Event Log Service records events to the Application, Security, and System logs in Event Viewer. Additionally, events are written to the Directory Service and File Replication Service logs on domain controllers and the DNS Server log on DNS servers. You can use Event Viewer to obtain information about your hardware, software, and system components, and to monitor security events on a local or remote computer. You can use event logs to identify and diagnose the source of current computer problems or to help you predict potential computer problems.

Eventlog.pl is available in the Windows 2000 Resource Kit Supplement 1. You can use this script tool to perform the following event log management tasks:
 * Change the properties of event logs.
 * Back up (save) event logs.
 * Export event lists to text files.
 * Clear (delete) all events from event logs.
 * Query the properties of event logs.

IMPORTANT: Do not use Eventlog.pl if you use Group Policy to specify event log settings. Eventlog.pl can violate Event log policies so that the following Group Policy settings for domains, organizational units, and sites may become ineffective:
 * Maximum  log size
 * Retain  log
 * Retention method for  log

back to the top

System Requirements for Eventlog.pl
Eventlog.pl runs on a source computer and acts on a target computer (which can be the same or different computer than the source computer). Before you can use Eventlog.pl to manage the event logs of the local or a remote computer, confirm that you have met the requirements that are described in the following section.

Source Computer

 * The computer is running either Windows 2000 Professional or Windows 2000 Server.
 * ActiveState ActivePerl Build 521 is installed. This program is available in the Windows 2000 Resource Kit.

The computer must also be correctly configured to run the Perl scripts that are included in the Windows 2000 Resource Kit Supplement 1. The Resource Kit WMI provider module, Wmi.pm, must be in the \Site\Lib\W2rk folder. The Resource Kit Setup program typically creates the W2rk folder and copies the Wmi.pm file to this folder.

If the W2rk folder is not automatically created during Setup, you can manually create it and configure the environment in which to run Eventlog.pl. For more information about how to do so, see the Troubleshooting section later in this article.
 * You must be logged in as a member of the Administrators group if you want to view Security log events or change or clear an event log.

back to the top

Target Computer
The target computer must be running either Windows 2000 Professional or Windows 2000 Server.

back to the top

Overview of Eventlog.pl
Eventlog.pl uses the following general syntax, where   is one of the following commands that you can pass to the script:

eventlog.pl

The following list describes each operation that you can use with Eventlog.pl:

-change: Use this operation to change the properties of event logs.

-backup: Use this operation to make backup copies of event logs.

-export: Use this operation to save event lists to text files.

-clear: Use this operation to delete all events from event logs.

-query: Use this operation to display the properties of event logs.

Each operation uses its own syntax.

back to the top

Change
The eventlog.pl -change statement uses the following syntax:

eventlog.pl -change [  ...] | * [ -s  [ -u  -p  ]] [ -setmaxsize  ][ -setbehavior asneeded | olderthan | never ] [ -restore ]

You can use the following parameters with eventlog.pl -change :   [  ...]| *: Use this parameter to specify the event logs that you want to change. If you want to change two or more event logs, separate each log with a space. If you want to change all event logs, use the wildcard character (*). If the event log name contains a space, enclose the name with quotation marks (&quot;&quot;). -s : Use this parameter to specify the name or Internet Protocol (IP) address of a remote computer. If you omit this parameter, the local computer is specified.  -u : Use this parameter to specify the user account with which to run Eventlog.pl. If you omit this parameter, Eventlog.pl uses the permissions of the currently logged-on user. If you use this parameter, you must also use the -p parameter to provide the user's password. -p : Use this parameter to specify the password of the user account that is specified by the -u parameter. The -p parameter is required when you use the -u parameter.

NOTE: Both the -p and -u parameters are available only when you use the -s parameter.  -setmaxsize : Use this parameter to specify the maximum size of the event log in kilobytes (KB). This value represents a whole number that is a multiple of 64 and corresponds to the Maximum log size entry in the Properties dialog box of an event log. -setbehavior asneeded | olderthan | never: Use this parameter to determine the action taken when the event log reaches its maximum size.  asneeded: Use this parameter if you want to overwrite the oldest events in the log with new events.</li> olderthan : Use this parameter if you want to overwrite events that are older than  , where   represents number of days. If the log is full and there are no events old enough to be overwritten, new events are discarded.</li> never: Use this parameter to specify that you do not want to overwrite events. When the log is full, new events are discarded. To record new events, you must clear the log.</li></ul>

This setting corresponds to the When maximum log size is reached entry in the event log properties.

</li> -restore: Use this parameter to set the maximum log size to 512 KB and to specify that events older than seven days are overwritten. This parameter is the equivalent of clicking Restore Defaults in the event log properties.

NOTE: The -restore parameter takes precedence over the -setmaxsize and -setbehavior parameters. When you use the -restore parameter, any -setmaxsize and -setbehavior parameters that are in the command are ignored.</li></ul>

back to the top

Backup
The eventlog.pl -backup statement uses the following syntax:

eventlog.pl -backup [  ...] | * [ -s  [ -u  -p  ]] [ -format evt | txt | csv ] [ -file [ -file  ...]]

You can use the following parameters with eventlog.pl -backup :
 * [ ...]| *: Use this parameter to specify the event logs that you want to back up. If you want to back up two or more event logs, separate each log with a space. If you want to back up all event logs, use the wildcard character (*). If the event log name contains a space, enclose it with quotation marks (&quot;&quot;).
 * -s : Use this parameter to specify the name or IP address of a remote computer. If you omit this parameter, the local computer is specified.
 * -u : Use this parameter to specify the user account with which to run Eventlog.pl. If you omit this parameter, Eventlog.pl uses the permissions of the currently logged-on user. If you use this parameter, you must also use the -p parameter to provide the user's password.
 * -p : Use this parameter to specify the password of the user account that is specified by the -u parameter. The -p parameter is required when you use the -u parameter.

NOTE: Both the -p and -u parameters are available only when you use the -s parameter.
 * -format evt| txt | csv: Use this parameter to specify the format of the backup copy of the event log. If you omit this parameter, Eventlog.pl uses the evt format.

NOTES:
 * Evt-formatted logs include binary data that is not saved in other log formats.
 * You cannot back up remote event logs using the evt format. To back up remote logs, use either txt or csv format.
 * -file  [ -file   ]: Use this parameter to specify the name of the back up copy of the event log by using the following format:  :\ \ . If you omit this parameter, Eventlog.pl names the files using the following format:   (for example, System.evt).

If you use more than one file name, Eventlog.pl backs up one log to each file on the list in the order in which the file names appear. You must list the file names in the same order that you list the logs in the command. Extra file names are ignored.

You can only use the -file parameter if you specify log names in the command. This parameter is not valid when the file names contain wildcard characters (*).

back to the top

Export
The eventlog.pl -export statement uses the following syntax:

eventlog.pl -export [  ...] | * [ -s  [ -u  -p  ]] [ -format txt | csv ] [ -file  [ -file  ...]]

You can use the following parameters with eventlog.pl -export :
 * [ ...]| *: Use this parameter to specify the event logs that you want to export. If you want to export two or more event logs, separate each log with a space. If you want to export all event logs, use the wildcard character (*). If the event log name contains a space, enclose it with quotation marks (&quot;&quot;).
 * -s : Use this parameter to specify the name or IP address of a remote computer. If you omit this parameter, the local computer is specified.
 * -u : Use this parameter to specify the user account with which to run Eventlog.pl. If you omit this parameter, Eventlog.pl uses the permissions of the currently logged-on user. If you use this parameter, you must also use the -p parameter to provide the user's password.
 * -p : Use this parameter to specify the password of the user account that is specified by the -u parameter. The -p parameter is required when you use the -u parameter.

NOTE: Both the -p and -u parameters are available only when you use the -s parameter.
 * -format txt | csv : Use this parameter to specify the format of the exported file. If you omit this parameter, Eventlog.pl uses the txt format.
 * -file  [ -file   ]: Use this parameter to specify the name of the exported file by using the following format:  :\ \ . If you omit this parameter, Eventlog.pl names the files using the following format:   (for example, Application.txt).

If you use more than one file name, Eventlog.pl exports one log to each file on the list in the order in which the file names appear. You must list the file names in the same order that you list the logs in the command. Extra file names are ignored.

You can only use the -file parameter if you specify log names in the command. This parameter is not valid when the file names contain wildcard characters (*).

back to the top

Clear
The eventlog.pl -clear statement uses the following syntax:

eventlog.pl -clear [  ...] | * [ -s  [ -u  -p  ]]

You can use the following parameters with eventlog.pl -clear :
 * [ ...]| *: Use this parameter to specify the event logs that you want to clear. If you want to clear two or more event logs, separate each log with a space. If you want to clear all event logs, use the wildcard character (*). If the event log name contains a space, enclose it with quotation marks (&quot;&quot;).
 * -s : Use this parameter to specify the name or IP address of a remote computer. If you omit this parameter, the local computer is specified.
 * -u : Use this parameter to specify the user account with which to run Eventlog.pl. If you omit this parameter, Eventlog.pl uses the permissions of the currently logged-on user. If you use this parameter, you must also use the -p parameter to provide the user's password.
 * -p : Use this parameter to specify the password of the user account that is specified by the -u parameter. The -p parameter is required when you use the -u parameter.

NOTE: Both the -p and -u parameters are available only when you use the -s parameter.

back to the top

Query
The eventlog.pl -query statement uses the following syntax:

eventlog.pl -query [  ...] | * [ -s  [ -u  -p  ]] [ -format table | list | csv ] [ -v ]

You can use the following parameters with eventlog.pl -query :
 * [ ...]| *: Use this parameter to specify the event logs that you want to query. If you want to search two or more event logs, separate each log with a space. If you want to search all event logs, use the wildcard character (*). If the event log name contains a space, enclose it with quotation marks (&quot;&quot;).
 * -s : Use this parameter to specify the name or IP address of a remote computer. If you omit this parameter, the local computer is specified.
 * -u : Use this parameter to specify the user account with which to run Eventlog.pl. If you omit this parameter, Eventlog.pl uses the permissions of the currently logged-on user. If you use this parameter, you must also use the -p parameter to provide the user's password.
 * -p : Use this parameter to specify the password of the user account that is specified by the -u parameter. The -p parameter is required when you use the -u parameter.

NOTE: Both the -p and -u parameters are available only when you use the -s parameter.
 * -format table|list| csv: Use this parameter to specify the output format. If you omit this parameter, Eventlog.pl uses the table format, by default.
 * -v: Use this parameter to add the CreationDate, LastModified, LastAccessed, MaxLogSize, and LogBehavior fields to the display.

back to the top

Examples
 To set the maximum size of the System log on the local computer to 2688 KB and specify that the oldest events are overwritten by new events when the log is full, type the following line and then press ENTER:

eventlog.pl -change system -setmaxsize 2688 -setbehavior asneeded

</li> To run Eventlog.pl by using the Administrator account to restore the size of all event logs on a remote computer named Server8 in the Corp domain to a maximum log size of 512 KB and to specify that events older than seven days are overwritten if the logs are full, type the following line at the command prompt, and then press ENTER:

eventlog.pl -change * -s server8 -u corp\administrator -p  -restore

</li> To back up the DNS Server log of the local computer using the default evt format and file name (Dns Server.evt), type the following line at the command prompt, and then press ENTER:

eventlog.pl -backup &quot;dns server&quot;

</li> To export the events from the System log of the local computer using the default txt format and file name (System.txt), type the following line at the command prompt, and then press ENTER:

eventlog.pl -export system

</li> To clear all events from the Application and System logs of a computer named Server5, type the following line at the command prompt, and then press ENTER:

eventlog.pl -clear application system -s server5

</li> To display the properties of all event logs of a computer named Server8 in list format and redirect the output to the D:\Reports\Srv8logs.log file, type the following line at the command prompt, and then press ENTER:

eventlog.pl -query * -format list -v > d:\reports\srv8logs.log

</li></ul>

back to the top

Troubleshooting
When you try to run Eventlog.pl, you receive the following error message:

ERROR: Wmi.pm is required to run the script.

Copy Wmi.pm from the Resource Kit directory to /Perl/site/lib/W2RK.

This behavior can occur if the computer is not correctly configured to run the Perl scripts included in the Windows 2000 Resource Kit Supplement 1. To use Eventlog.pl, the W2rk folder must exist in the \site\lib folder, and it must contain the Wmi.pm file.

To resolve this behavior, manually configure the environment in which to run Perl scripts:
 * 1) Create a folder named W2rk in the  \Site\Lib folder.

NOTE: The default  is  :\Perl where   is the drive on which Windows is installed.
 * 1) Copy the Wmi.pm file from the folder in which the Windows 2000 Resource Kit is installed (by default, Program Files\Resource Kit) to the W2rk folder that you created in step 1.

back to the top

<div class="references_section">