Introduction
The Resource Kit comes with a utility, elogdump, that lets you dump the contents of an Event Log on the local or a remote computer. PsLogList is a clone of elogdump except that PsLogList lets you login to remote systems in situations your current set of security credentials would not permit access to the Event Log, and PsLogList retrieves message strings from the computer on which the event log you view resides.Installation
Just copy PsLogList onto your executable path, and type "psloglist".PsLogList works on NT 3.51, NT 4.0, Win2K, Windows XP and Server 2003.
Usage
The default behavior of PsLogList is to show the contents of the System Event Log on the local computer, with visually-friendly formatting of Event Log records. Command line options let you view logs on different computers, use a different account to view a log, or to have the output formatted in a string-search friendly way.usage: psloglist [-?] [-s [-t delimiter]] [\\computer [-u username [-p password]]] [-n # | -d #] [-x] [-c][-r][-a mm/dd/yy][-b mm/dd/yy][-f filter] [-i ID] [-o event source] [-l event log file] [eventlog]
-? Displays the supported options and the units of measurement used for output values. -s This switch has PsLogList print Event Log records one-per-line, with delimited fields. This format is convenient for text searches, e.g. psloglist | findstr /i text, and for importing the output into a spreadsheet. -t The default delimeter for the -s option is a comma, but can be overriden with the specified character. \\computer Instead of showing process information for the local system, PsLogList will show information for the NT/Win2K system specified. Include the -u switch with a username and password to login to the remote system if your security credentials do not permit you to obtain performance counter information from the remote system. -u username If you want to view an Event Log on a remote system and the account you are executing in does not have administrative privileges on the remote system then you must login as an administrator using this command-line option. PsLogList will prompt you for the password without echoing your input to the display unless you specify the -p switch. -p password If you specify a user name and omit this switch PsLogList will prompt you for a password. -n # Only display n most recent records. -d # Only display records from previous n days. -c Clear the event log after displaying. -x Dump extended data. -r Dump log from least recent to most recent. -a Dump records timestamped after specified date. -b Dump records timestamped before specified date. -f Filter event types with filter string (e.g. "-f w" to filter warnings). -i Show only events with the specified ID. -o Show only records from the specified event source (e.g. "-o cdrom"). eventlog file Dump the contents of the specified saved event log file. eventlog By default PsLogList shows the contents of the System Event Log. Specify a different Event Log by typing in the first few letters of the log name, application, system, or security. If the -l switch is present then the event log name specifies how to interpret the event log file.
How it Works
Like Win NT/2K's built-in Event Viewer and the Resource Kit's elogdump, PsLogList uses the Event Log API, which is documented in Windows Platform SDK. PsLogList loads message source modules on the system where the event log being viewed resides so that it correctly displays event log messages.PsTools
PsLogList is part of a growing kit of Sysinternals command-line tools that aid in the adminstration of local and remote Windows NT/2K systems named PsTools.Download PsLogList (25KB)
Download PsTools