I am trying to research a problem and would like to use Logparser to remotely query one of the newer 2008 log types against many remote servers. I want to query the Setup log, not application, system, security. Logparser seems ignorant of these new log types, and I have been unable to find a way to do this without certain hacks.
I've see some posts about other hacks to make this possible. Because I need to query around 100 servers the hacks I've found are less than ideal. Wevtutil to convert the whole file before query is inefficient and not practical to do this remotely against many machines. Adding regkeys to HKLM\SYSTEM\CurrentControlSet\services\eventlog is tedious because each time you want to query a different one of these new log types, you need to new key.
Using the full path to the EVTX file does treats it as text, and doesn't produce useful output. Specifying the input as EVT gives a file in use error. Query is being made from a 2008 R2 machine, where another post said Logparser would support EVTX files. Is it possible to use Logparser remotely against these newer logs without these hacks?
PS C:\> .\LogParser.exe "SELECT * FROM \\NOBODY\admin$\System32\winevt\Logs\setup.evtx"
WARNING: Input format not specified - using TEXTLINE input format.
LogFilename Index Text
-------------------------------------------------- ----- -------
\\NOBODY\admin$\System32\winevt\Logs\Setup.evtx 1 ElfFile
\\NOBODY\admin$\System32\winevt\Logs\Setup.evtx 2 ♦A à
\\NOBODY\admin$\System32\winevt\Logs\Setup.evtx 3 ╫
Press a key...
Task aborted by user.
PS F:\apps\Logparser> .\LogParser.exe /i:evt "SELECT * FROM \\NOBODY\admin$\System32\winevt\Logs\setup.evtx"
Task aborted.
Cannot open <from-entity>: Error opening event log "\\?\UNC\SDCBOOP22\admin$\
System32\winevt\Logs\Setup.evtx": The process cannot access the file
because it is being used by another process.
PS C:\> .\LogParser.exe /i:evt "SELECT * FROM \\NOBODY\Setup"
Error: Error retrieving files: Error searching for files in folder \\NOBODY\Setup: The network na
me cannot be found.
PS C:\> .\LogParser.exe "SELECT * FROM \\NOBODY\Setup"
WARNING: Input format not specified - using TEXTLINE input format.
Task aborted.
Cannot open <from-entity>: Error opening files: Error searching for files in
folder \\NOBODY\Setup: The network name cannot be found.
You are on the right track using the /i:EVT option with LogParser, but you apparently are not reading the output - it clearly says
The process cannot access the file because it is being used by another process.
You cannot access the log files of a running machine - these are locked by the eventlog service. If you need to query events from live machines, consider either accessing a VSS snapshot where locking would not be an issue or using WQL queries against the eventlog instead. Since you are using PowerShell anyway, using the System.Diagnostics.Eventlog class should get you there as well.