WWBEventViewer - Event Log Viewer Command Line Utility
From WebWatchBotWiki
Contents |
Summary
WWBEventViewer is a command line application for accessing the Windows Event Viewer logs on the local machine or on a remote machine. It provides several filtering options, logged output, and logged messages from the program itself.
Download and Install
http://www.exclamationsoft.com/exclamationsoft/download/special/WWBEventViewer.zip (156KB)
Download and unzip the two files (WWBEventViewer.exe and BotDll.dll) into a directory, e.g. C:\Program Files\WWBEventViewer Do not place files in the WebWatchBot installation directory, as the files may conflict. WWBEventViewer requires some Windows files that are provided with Internet Exploer 6 and newer.
Usage
WWBEventViewer -log [Application|Security|System] [Optional Parameters...]
Required Parameters
-log (-l) = The name of the event log, e.g. Application, System, Security, etc.
Optional Parameters
Basic
-machinename (-mn) = Name of the machine for quering the event log. If not specified the current machine is used. -logfile (-lf) = Fully qualified pathname to log file -outputfile (-of) = Fully qualified pathname to output file
Filters
-search (-sr) = Search for specified text in the entry
-type (-t) = Filter entries based on event type/level. Specify multiple
filters separated by a comma or semicolon (case
sensitive): success, error, warning, information,
auditsuccess, or auditfailure.
-source (-s) = Filter by single source, e.g. WebWatchBot, Application
Error, etc.
-eventid (-ei) = Search for specified event id (numeric)
-dateperiod (-dp) = Filter by dateperiod: lasthour, last12hours, last24hours
today, yesterday, last7days, last14days, lastweek
lastmonth, monthtodate, yeartodate
-startdate (-sd) = Filter by start date (requires -enddate)
-enddate (-ed) = Filter by end date (requires -startdate)
-max (-m) = Max entries to return
Return Codes
0 - SUCCESS 1 - Failed to initialize, internal error. 2 - Success, help requested 3 - Error, cannot open event log 4 - Error, cannot read from event log 5 - Warning, no entries returned 259 - Interrupted, user pressed Ctrl-C or the program was forceably stopped. If running in WebWatchBot, increase the timeout value.
Return codes can be found by the following command after WWBEventViewer has run, or checked automatically within WebWatchBot:
echo %errorlevel%
Examples
Display all entries from the Application log
WWBEventViewer -log Application
Display entries from the Application log containing the text "ExclamationSoft"
WWBEventViewer -log Application -search ExclamationSoft
Display entries from the Application log containing the text "the service has been restarted"
WWBEventViewer -log Application -search "the service has been restarted"
Display entries from the Application log for a particular source
WWBEventViewer -log Application -source "WebWatchBot"
Display entries from the Application log for today's date
WWBEventViewer -log Application -dateperiod today
Display entries from the Application log for entries between two fixed dates
WWBEventViewer -log Application -startdate "11/1/2009" -enddate "12/31/2009"
Display entries from the Application log, up to a maximum of 10 entries
WWBEventViewer -log Application -max 10
Integration
- In WebWatchBot Manager, create a new Watch Item: File -> New -> Watch Item
- Change the Watch Type to "Custom"
- Note the frequency is 1 hour, meaning that this Watch Item will run once an hour.
- Click the "Settings" button
- Enter the fully qualified pathname to WWBEventViewer and parameters for the query
Example:
C:\Program Files\WWBEventViewer\wwbeventviewer.exe -log Application -dateperiod lasthour -eventid 8194
- Click OK to close the Custom Settings window.
- Click OK to close and save the new Watch Item
When this Watch Item runs each hour, it will execute the program WWBEventViewer. If records are returned, the return code will be 0 (Success) and if no records are returned, the return code will be 5 (Warning, no entries returned) which will trigger an alarm. One can modify the Watch Item to send an email alert upon failure.
