Solved

Log Parser and finding Specifc Event ID's

Posted on 2010-09-01
11
3,745 Views
Last Modified: 2013-12-04
I recently started playing around with Log Parser in an attempt to export specific login / logoff events to a txt file, which I will then use for data reporting later.

However, I am not finding the correct syntax, or am placing the incorrect syntax to find what I would like to see for results.

I would like to see the username that logs in, time / date they logged in, and the same for logging off.

Here is the syntax I have tried to use:

logparser "select timegenerated, sourcename, eventcategoryname into report.txt from security where eventid = 4624" -resolvesids:on

The .txt file results are this:

TimeGenerated       SourceName                          EventCategoryName
------------------- ----------------------------------- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2010-08-27 16:47:24 Microsoft-Windows-Security-Auditing The name for category 12544 in Source "Microsoft-Windows-Security-Auditing" cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer

for every event it creates.

what is the query syntax I need to get the data I am looking for?  I am running Server 2008 r2.
0
Comment
Question by:dzirkelb
  • 3
  • 3
11 Comments
 
LVL 22

Expert Comment

by:Paka
ID: 33619496
It's likely that logparser is actually finding the right events, but there's a problem with the registry entries for the 4624 event.  

Try:
logparser "select  eventid, timegenerated, sourcename, eventcategoryname into report.txt from security where eventid = 4624" -resolvesids:on

If it returns 4624 events as shown from the first column, our next step will be to figure out why the events aren't logging correctly.
0
 

Author Comment

by:dzirkelb
ID: 33619587
EventID TimeGenerated       SourceName                          EventCategoryName
------- ------------------- ----------------------------------- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
4624    2010-09-02 21:13:10 Microsoft-Windows-Security-Auditing The name for category 12544 in Source "Microsoft-Windows-Security-Auditing" cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer

That is the results from your suggestion.
0
 
LVL 22

Expert Comment

by:Paka
ID: 33620065
It looks like logparser is pulling data from the security log correctly.  Usually the generic event message means that either the application that is writing the 4624 events is poorly written and won't log the information or the registry is corrupt.  Do you know what application is writing these events?

What data are you trying to get from the security logs?
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:dzirkelb
ID: 33620093
I am running the log parser on a 2008 r2 primary domain controller.  The application that is logging this information would be the default for domain controllers and active directory.

I am trying to create logs of when users logged in and out of their computer to use for reporting.
0
 
LVL 22

Accepted Solution

by:
Paka earned 500 total points
ID: 33620376
Try using wevtutil instead of logparser for W2008:
http://blogs.msdn.com/ericfitz/archive/2008/07/16/wevtutil-scripting.aspx 
0
 

Author Comment

by:dzirkelb
ID: 33621345
I tried the following per the article and it outputs an xml file with no data, do I have the task or event id or logontype wrong?  This is all in a .bat file:



@echo off

 

REM (C) 2008 Microsoft Corporation

REM All Rights Reserved


set outputfile=%temp%\interactive-logon-events.xml


if "%1" NEQ "" set outputfile=%1

 

REM The next command is all one line and has no carriage returns

REM The only spaces in the XPath are around the AND keywords


wevtutil qe Security /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task=12544 and (EventID=4624)] and EventData[Data[@Name='LogonType']='2']]" /e:Events > %outputfile%


start %outputfile%


set outputfile=
0
 

Expert Comment

by:Skibo187
ID: 36331515
"C:\Program Files\Log Parser 2.2\LogParser.exe" -i:EVT "SELECT * FROM  \\SystemName\Security,\\SystemName2\Security WHERE EventID In (529;534;529)" -resolvesSIDs -o:CSV >> Nameyourfile.csv


save that in a batch file and run it.
FYI- you can change the csv at the end to TXT but I think it will be better useful in csv format, ALSO the * pulls everything u can change that also to a specific tag u want.

Hope this is helpful i know its late, but better late then never...

skibo
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
schema master 5 27
what about DCpro 2 29
non-domain members are not prompted for credentials 18 41
moving away from .local domain 5 28
OfficeMate Freezes on login or does not load after login credentials are input.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question