I'm using Logparser which uses a lite SQL engine and operates and is driven off of SQL syntax. This is what I'd like to do:
I'm trying to parse through my authentication logs to determine if there is IP variation from the same User that has logged in.
For example: JDOE, shows to have logged in 10 times on 4/9/2009. 9 of those logins show the same IP and EventID (540 in this example). However 1 of JDOES logins shows a completely different IP address as well as a weird type of Event code (example: shows 800).
I'd like the SQL statement tell tell me about these variations but haven't quite figured out the correct syntax for it.
I convert the log file to a CSV with that has the following headers (in order):
DATE, TIME, EVTID, STATUS, DC, DOMAIN, USERNAME,IP,LOGIN-TYPE,AUTH-PROTOCOL
SELECT * FROM \\server\logs\auth.csv WHERE IP (this is where I need to set the IP range at '000.000.000.000,999.999.999.999')
I can't figure the correct syntax out and it's driving me nuts, in fact I don't know if it's even possible without employing some sort of script (which I'm hoping is not the case because I'd like to think SQL syntax is advance enough to handle something like this query. Any help is GREATLY APPRECIATED!!!