Win7:  There are several of these in my "System" event log.

v:\> dumpel -l system -d 2 -c 2>nul | grep "20268"
7/1/2015,12:00:43,4,0,20268,RasMan,N/A,zz,CoID={F34C49ED-DE4F-4B0E-9A3A-CEAE1DF83283}: The connection to LuckyVPN made by user vefatica using device VPN3-1 was disconnected.

I have not been successful getting any output when searching for an EventId with WEVTUTIL.  I've tried these and similar queries with no error messages and no output.

v:\> wevtutil qe system /q:"EventId=20268" /rd:false /f:text

v:\> wevtutil qe system /q:"*[System[EventId=20268]]" /rd:false /f:text

v:\> wevtutil qe system /q:"*[RasMan[EventId=20268]]" /rd:false /f:text

v:\> wevtutil qe system /q:"*[System[RasMan[EventId=20268]]]" /rd:false /f:text

v:\>

I get plenty  results with "Level=N" but none with "EventId=N".

Thanks.

 - Vince

I can get this, along with thousands of others using "Level=4".  I'd like to narrow it down to EventID 20268.

v:\> wevtutil qe system /q:"*[System[Level=4]]" /rd:true /f:text
Event[82]:
  Log Name: System
  Source: RasMan
  Date: 2015-07-01T12:00:43.000
  Event ID: 20268
  Task: N/A
  Level: Information
  Opcode: Info
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: zz
  Description:
CoID={F34C49ED-DE4F-4B0E-9A3A-CEAE1DF83283}: The connection to LuckyVPN made by user vefatica using device VPN3-1 was disconnected.

This is a scripting forum and you are asking questions about basic system utilities.  As in the windows forum for you system.

That's funny.  The very first similar query I found was redirected to the scripting forum.

Nope.  It is not a script it is a utility program.