Exporting info from saved application logs

Posted on 2004-09-21
Last Modified: 2012-08-13
I am using logon/logoff scripts to track when users login/logout. I also have the dumpel utility installed and have a VBS script to save this login/logout info to a text file.
When running some updates this morning, I saved and cleared my application log on the server. My VBS script is only pulling what is in the application log, but I want to extract the login/logout info from the saved log to a text. Can this be done & how?
Question by:SureDeposit
  • 4
  • 3
  • 2
  • +1

Expert Comment

ID: 12112409
best way I can think of is dumpel -l security > c:\seclog.txt should dump the log to a text file

Expert Comment

ID: 12112590
or dumpel -f c:\log.txt -l security -m %username%

Author Comment

ID: 12112708
That just dumps the security log to a file.
I am looking to create the text file that I get using the VBS script that I run to extract information from a saved event log file.

What I do now:
I have logon and logoff scripts running that save information as this (9/21/2004 7:01:20 AM 8 0 8 WSH N/A PCName User Administrator Logged on to PCName[IP Address] on 9/21/2004 at 7:01:20 AM )

I have dumpel installed and I run this script:
' DumpEventLog.vbs
' Companion script for LogonTrack.vbs.  This script will be scheduled to run regularly; it dumps the event log to a file with the date as the filename.

nDate = Date
nDay = Day(nDate)
nMonth = Month(nDate)
nYear = Year(nDate)

if nDay < 10 Then
      nDay = "0" & nDay
End If

if nMonth < 10 Then
      nMonth = "0" & nMonth
End If

nYear = Right(nYear,2)

filename = nMonth & "-" & nDay & "-" & nYear & ".txt"

path = "path" 'Path where the log files will be kept.

commandline = "path to utility\dumpel -l application -e 8 -m wsh -s \\servername -d 7 -f Log.txt"

Set shell = CreateObject("")

This creates the log.txt file in the path I have in the vbs script with the information I need.
The thing is, I saved and cleared my application event log this morning, so the only information for event 8 WSH is everything after I did this. If I open the saved event log in the event viewer and re-word the script, it runs, but does not create the file.

I am looking to get the info from the saved event log and not have to go event by event saving the info to clipboard and pasting it in wordpad.

I hope I am explaining this so anyone understands.

Expert Comment

ID: 12118712
How did you save the evenlogs? and in what format?

The only thing I can think of is if you open the saved logs and save them as TSV or CSV files then you could write a script to process the exported files in Tab or Comma separated format.

Author Comment

ID: 12121754
The logs were saved in a evt format. If you go to event viewer and right click and choose open log then choose the type, I will have Saved Application Log. The problem seems to be that this is only temporary and not really in the event viewer for the script to read. The thing is, is its not the log itself I am trying to get into a txt file, its the information within the event in the log.

I had gone through the log and extracted what I needed event by event, but I can see myself doing this again in the future since I just started to track employee logon/logoff times.

I clear the event logs once a month or upon a change (An install of a program, updates, hardware, etc.) My habit is already formed to just save and clear the logs. Now I have to reform the habit to run the script to extract the info, then save and clear. Would still like the solution to this question.
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.


Expert Comment

ID: 12122155
It may be a better idea to use DUMPEL to extract what you need each month and get your logs to clear themselves automatically as needed.

If you use DUMPEL you only get the info you want. The output can easily be manipulated with a script. If you know how, you can produce very useful html reports and statistics, even on a per user basis.

Expert Comment

ID: 12148313
You might try saving the evt logs as txt (tab delimited).  Then you can open the logs as text stream objects and parse them line by line (in script) to extract the information you want.  This can be done automatically with a txt file as the output.  Let me know if you would like a coded example.

Author Comment

ID: 12159054
I am not sure how to do that. I can save the logs as tab dilimited, but with what you said to do, that's the most I can. An example would be great.

Accepted Solution

skeeveswp earned 500 total points
ID: 12162907
OK, here is a script that you can work with ... it is not rigorous in that I didn't combine date and time to prevent inaccurate results when you span a couple of days.  Still, it may give you what you need to start with.

Please remember to turn off script blocking before you try to run this.  Let me know if you have any difficulties with it.

Option Explicit

dim WSH, FSO

set WSH = createobject("")
set FSO = createobject("scripting.FileSystemObject")

dim LogFile, OutputFile, OutputFileName
dim LogName, LogLine, LogElements
dim StartDate, StartTime, EndDate, EndTime, DateString, TimeString, i, CompDate, CompTime

dim Mark1, Mark2, Mark3, Mark4, Mark5

'      Set the Log Path to whatever it is on your machine.

CONST Logpath = "c:\temp\LogText\"

'      You can define as many parameters as you like.  This script is set up to
'      Test for Date and Time.  The test is not rigorous, and the script will give
'      incorrect results if you go outside one day.  

LogName = Inputbox("Input the name of the Log File.", "Log File Name", "TestLog.txt")
StartDate = Inputbox("Input the Starting Date for the Output.", "Start Date", cstr(date))
EndDate = Inputbox("Input the End Date for the Output.", "End Date", cstr(date))
StartTime = Inputbox("Input the Starting Time for the Output.", "Start Time")
EndTime = Inputbox("Input the Stop Time for the Output.", "End Time", cstr(time))

'      I use the hour, minute, and second to make the outputfile name unique.

OutputFileName = Inputbox("Input the name of the Output File.", "Output File Name", cstr(hour(time)) _
      & cstr(minute(time)) & cstr(second(time)) & "Out.txt")

StartDate = ConvertDate(StartDate)
EndDate = ConvertDate(EndDate)
StartTime = ConvertTime(StartTime)
EndTime = ConvertTime(EndTime)

'      When you open or create a text file, the FileSystemObject
'      opens them as a text stream object.  Then you can use the
'      properties of a text stream to parse the text in the file.

set LogFile = FSO.OpenTextFile(LogPath & LogName)
set OutputFile = FSO.CreateTextFile(LogPath & OutputFileName)

'      This writes an identifier block into the Output File.

OutputFile.Write "Log output from " & LogPath & LogName & vbcrlf _
      & Date & "   " & time & string(80,"_") & vbcrlf

'      AtEndOfStream just tells you when you are out of text in the log.

do until LogFile.AtEndOfStream
      LogLine = LogFile.ReadLine
'      Using a split command allows you to view each piece of the line separately.
'      Since the file is TAB delimited, split by the TAB character.  Use other
'      parameters in the line to limit your output file to the specific information
'      you need.

      LogElements = split(LogLine,vbTab)
      If ubound(logelements) > 1 then
            If CompareDate(Logelements(0))  Then
                  If CompareTime(LogElements(1)) Then
'      In this instance, I am writing the whole line from the original log into the
'      output file.  You can concatenate the elements of the data that you want to
'      be more specific.  For example:
'            OutputFile.Write LogElements(0) & vbTab & LogElements(1) & ... etc.
'      Don't forget to add vbcrlf at the end of the line to make the output readable.
                        OutputFile.Write LogLine & vbcrlf
                  End If
            End If
      end if

'      Close everything when you are done with it.

set logFile = nothing
set OutputFile = nothing

'      Open the OutputFile in Notepad to view the results "Notepad.exe """ & cstr(LogPath) & cstr(OutputFileName) & """"

set WSH = nothing
set FSO = nothing



Function ConvertTime(TString)

      TimeString = ""
      i = 1
            if mid(TString,i,1) <> ":" then
                  TimeString = TimeString & mid(TString,i,1)
            end if
            i = i + 1
      loop until i = len(TString) + 1

      if instr(TimeString, "PM") > 0 then
            TimeString = left(TimeString, Instr(TimeString," ") - 1)
            TimeString = cstr(clng(TimeString) + 120000)
            TimeString = left(TimeString, Instr(TimeString," ") - 1)
      end if
End Function

Function ConvertDate(DString)

      i = 1: DateString = ""
            if mid(DString,i,1) <> "/" then
                  DateString = DateString & mid(DString,i,1)
            end if
            i = i + 1
      loop until i = len(DString) + 1
      ConvertDate = DateString

End Function      

Function CompareDate(TestDate)

      TestDate = ConvertDate(TestDate)
      If clng(TestDate) >= clng(StartDate) AND clng(TestDate) <= clng(EndDate) Then
            CompareDate = True
            CompareDate = False
      End If
End Function

Function CompareTime(TestTime)

      TestTime = ConvertTime(TestTime)
      If clng(TestTime) >= clng(StartTime) AND clng(TestTime) <= clng(TestTime) Then
            CompareTime = True
            CompareTime = False
      End If
End Function

Author Comment

ID: 12199668
Just an update for you skeeveswp. I will further mess with the script over the weekend and follow up on Monday, but it seems like it will do what I have asked. I am new to scripting though, so I have to work through the Variable is undefined messages.

So once again I will follow up on Monday.

Expert Comment

ID: 12202596
OK ... let me know if you need any help.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Often we come across situations wherein our batch files would be needing to reboot Windows for a variety of reasons. A few of them would be like: (1) Setup files have been updated whose changes can take effect only after a reboot …
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now