iEntry 10th Anniversary
LinuxHaxor
WindowHaxor
MacHaxorPstool – Psinfo
Pstools Homepage: http://www.microsoft.com/technet/sysinternals/Security/PsTools.mspx
Written by : Mark Russinovich Published: March 5, 2007
Introduction:
The Resource Kit comes with a utility, elogdump, that lets you dump the contents of an Event Log on the local or a remote computer. PsLogList is a clone of elogdump except that PsLogList lets you login to remote systems in situations your current set of security credentials would not permit access to the Event Log, and PsLogList retrieves message strings from the computer on which the event log you view resides.
Usage
The default behavior of PsLogList is to show the contents of the System Event Log on the local computer, with visually-friendly formatting of Event Log records. Command line options let you view logs on different computers, use a different account to view a log, or to have the output formatted in a string-search friendly way.
usage: psloglist [- ] [\\computer[,computer[,...] | @file [-u username [-p password]]] [-s [-t delimiter]] [-m #|-n #|-h #|-d #|-w][-c][-x][-r][-a mm/dd/yy][-b mm/dd/yy][-f filter] [-i ID[,ID[,...] | -e ID[,ID[,...]]] [-o event source[,event source][,..]]] [-q event source[,event source][,..]]] [-l event log file] <eventlog>
@file
Execute the command on each of the computers listed in the file.
-a
Dump records timestamped after specified date.
-b
Dump records timestamped before specified date.
-c
Clear the event log after displaying.
-d
Only display records from previous n days.
-e
Exclude events with the specified ID or IDs (up to 10).
-f
Filter event types with filter string (e.g. “-f w” to filter warnings).
-h
Only display records from previous n hours.
-i
Show only events with the specified ID or IDs (up to 10).
-l
Dump records from the specified event log file.
-m
Only display records from previous n minutes.
-n
Only display the number of most recent entries specified.
-o
Show only records from the specified event source (e.g. \”-o cdrom\”).
-p
Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
-q
Omit records from the specified event source or sources (e.g. \”-q cdrom\”).
-r
Dump log from least recent to most recent.
-s
This switch has PsLogList print Event Log records one-per-line, with comma delimited fields. This format is convenient for text searches, e.g. psloglist | findstr /i text, and for importing the output into a spreadsheet.
-t
The default delimeter is a comma, but can be overriden with the specified character.
-u
Specifies optional user name for login to remote computer.
-w
Wait for new events, dumping them as they generate (local system only).
-x
Dump extended data.
eventlog
By default PsLogList shows the contents of the System Event Log. Specify a different event log by typing in the first few letters of the log name, application, system, or security.
How it Works
Like Win NT/2K’s built-in Event Viewer and the Resource Kit’s elogdump, PsLogList uses the Event Log API, which is documented in Windows Platform SDK. PsLogList loads message source modules on the system where the event log being viewed resides so that it correctly displays event log messages.
(Source)
Cheers,
pavs
