dzirkelb
asked on
Log Parser and finding Specifc Event ID's
I recently started playing around with Log Parser in an attempt to export specific login / logoff events to a txt file, which I will then use for data reporting later.
However, I am not finding the correct syntax, or am placing the incorrect syntax to find what I would like to see for results.
I would like to see the username that logs in, time / date they logged in, and the same for logging off.
Here is the syntax I have tried to use:
logparser "select timegenerated, sourcename, eventcategoryname into report.txt from security where eventid = 4624" -resolvesids:on
The .txt file results are this:
TimeGenerated SourceName EventCategoryName
------------------- -------------------------- --------- -------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- -------
2010-08-27 16:47:24 Microsoft-Windows-Security -Auditing The name for category 12544 in Source "Microsoft-Windows-Securit y-Auditing " cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer
for every event it creates.
what is the query syntax I need to get the data I am looking for? I am running Server 2008 r2.
However, I am not finding the correct syntax, or am placing the incorrect syntax to find what I would like to see for results.
I would like to see the username that logs in, time / date they logged in, and the same for logging off.
Here is the syntax I have tried to use:
logparser "select timegenerated, sourcename, eventcategoryname into report.txt from security where eventid = 4624" -resolvesids:on
The .txt file results are this:
TimeGenerated SourceName EventCategoryName
------------------- --------------------------
2010-08-27 16:47:24 Microsoft-Windows-Security
for every event it creates.
what is the query syntax I need to get the data I am looking for? I am running Server 2008 r2.
ASKER
EventID TimeGenerated SourceName EventCategoryName
------- ------------------- -------------------------- --------- -------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- -------
4624 2010-09-02 21:13:10 Microsoft-Windows-Security -Auditing The name for category 12544 in Source "Microsoft-Windows-Securit y-Auditing " cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer
That is the results from your suggestion.
------- ------------------- --------------------------
4624 2010-09-02 21:13:10 Microsoft-Windows-Security
That is the results from your suggestion.
It looks like logparser is pulling data from the security log correctly. Usually the generic event message means that either the application that is writing the 4624 events is poorly written and won't log the information or the registry is corrupt. Do you know what application is writing these events?
What data are you trying to get from the security logs?
What data are you trying to get from the security logs?
ASKER
I am running the log parser on a 2008 r2 primary domain controller. The application that is logging this information would be the default for domain controllers and active directory.
I am trying to create logs of when users logged in and out of their computer to use for reporting.
I am trying to create logs of when users logged in and out of their computer to use for reporting.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tried the following per the article and it outputs an xml file with no data, do I have the task or event id or logontype wrong? This is all in a .bat file:
@echo off
REM (C) 2008 Microsoft Corporation
REM All Rights Reserved
set outputfile=%temp%\interact ive-logon- events.xml
if "%1" NEQ "" set outputfile=%1
REM The next command is all one line and has no carriage returns
REM The only spaces in the XPath are around the AND keywords
wevtutil qe Security /q:"*[System[Provider[@Nam e='Microso ft-Windows -Security- Auditing'] and Task=12544 and (EventID=4624)] and EventData[Data[@Name='Logo nType']='2 ']]" /e:Events > %outputfile%
start %outputfile%
set outputfile=
@echo off
REM (C) 2008 Microsoft Corporation
REM All Rights Reserved
set outputfile=%temp%\interact
if "%1" NEQ "" set outputfile=%1
REM The next command is all one line and has no carriage returns
REM The only spaces in the XPath are around the AND keywords
wevtutil qe Security /q:"*[System[Provider[@Nam
start %outputfile%
set outputfile=
"C:\Program Files\Log Parser 2.2\LogParser.exe" -i:EVT "SELECT * FROM \\SystemName\Security,\\Sy stemName2\ Security WHERE EventID In (529;534;529)" -resolvesSIDs -o:CSV >> Nameyourfile.csv
save that in a batch file and run it.
FYI- you can change the csv at the end to TXT but I think it will be better useful in csv format, ALSO the * pulls everything u can change that also to a specific tag u want.
Hope this is helpful i know its late, but better late then never...
skibo
save that in a batch file and run it.
FYI- you can change the csv at the end to TXT but I think it will be better useful in csv format, ALSO the * pulls everything u can change that also to a specific tag u want.
Hope this is helpful i know its late, but better late then never...
skibo
Try:
logparser "select eventid, timegenerated, sourcename, eventcategoryname into report.txt from security where eventid = 4624" -resolvesids:on
If it returns 4624 events as shown from the first column, our next step will be to figure out why the events aren't logging correctly.