WECUTIL - CMD

Overview

WECUTIL, or Windows Event Collector Utility, is a command-line tool used for managing subscriptions to events that are forwarded from remote computers. It is primarily utilized in environments where centralized logging and monitoring are necessary. This tool helps administrators maintain oversight of multiple machines by collecting and organizing event logs efficiently.

Syntax

The basic syntax for WECUTIL is as follows:

wecutil <Command> [Arguments]

Where <Command> can be one of the following:

  • cs (Create Subscription)
  • ds (Delete Subscription)
  • es (Enum Subscriptions)
  • gs (Get Subscription)
  • ss (Set Subscription)
  • qc (Quick Config)

Each command may have additional required or optional arguments depending on its function.

Options/Flags

Commands and Their Options:

  • cs (Create Subscription):
    Creates a new subscription using XML to define the event sources and the destination event log.

  • ds (Delete Subscription):
    Deletes a specified subscription.

  • es (Enum Subscriptions):
    Lists all current subscriptions.

  • gs (Get Subscription):
    Displays detailed information about a specific subscription.

  • ss (Set Subscription):
    Modifies settings of an existing subscription.

  • qc (Quick Config):
    Quickly configures a subscription using default settings.

Each command might require further parameters such as subscription name or configuration XML data.

Examples

Example 1: Listing all subscriptions

wecutil es

Example 2: Creating a subscription

wecutil cs SubscriptionConfig.xml

This command would create a new subscription using the settings specified in SubscriptionConfig.xml.

Example 3: Deleting a subscription

wecutil ds "MySubscription"

This deletes the subscription named “MySubscription”.

Common Issues

  • XML Configuration Errors: Incorrectly formatted XML configuration can cause the subscription to fail. Ensure that your XML file adheres to the correct schema.
  • Permission Issues: WECUTIL requires administrative privileges to create or modify subscriptions. Running it without sufficient permissions will result in errors.

Integration

WECUTIL can be integrated with PowerShell scripts or combined with batch files to automate event log management across multiple systems. An example of a script could be:

@echo off
wecutil es
echo Checking for Subscription existence...
wecutil gs "MySubscription" || wecutil cs SubscriptionConfig.xml

This script checks if “MySubscription” exists and creates it if it does not.

  • Event Viewer (eventvwr.msc): GUI tool for viewing and analyzing event logs.
  • wevtutil: CLI tool for managing event logs and publishers.

For further reading and detailed information, the Microsoft documentation presents comprehensive resources: WECUTIL Documentation.

This manual provides a detailed look at WECUTIL, covering its syntax, options, and integration capabilities in a variety of use cases. Users can expand upon this basic understanding to effectively manage and monitor event logs within a networked environment.