Solved

Pull warnings/errors from event viewer via script

Posted on 2010-09-06
11
650 Views
Last Modified: 2012-05-10
Hi Experts.  Much like another question I just asked, I was curious how I could go about using a script or batch file to look through a computers event viewer and export/dump the errors and warnings for a particular time period (last 2 months/1 month/1week, etc).

This would be for Windows based OS's.  Since I am not a programmer/scripter, I appreciate your help and patience with this!
0
Comment
Question by:samiam41
  • 7
  • 3
11 Comments
 
LVL 4

Expert Comment

by:erik_nodland
ID: 33612290
Hi

The easiest way is to use something like log parser. You can download it from here
http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en

You can use this to get all sorts of information. To query your application event log for the last 2 months just do
logparser -i:evt -o:csv "SELECT EventLog, RecordNumber,
TimeGenerated, EventID,
EventType, EventTypeName, EventCategory, SourceName,
ComputerName, Message
FROM Application
where TimeGenerated > '2010-07-06 00:00:00' into test.csv"

This should export it out to a CSV file called test.csv

HTH

Erik
0
 
LVL 9

Author Comment

by:samiam41
ID: 33612380
Thanks erik_nodland.  So I install this on the pc and then run the command you wrote?
0
 
LVL 4

Expert Comment

by:erik_nodland
ID: 33612454
Yep. Just install it and then run the command from the directory where it was installed.

cheers

Erik
0
 
LVL 9

Author Comment

by:samiam41
ID: 33612503
I was able to create a quick batch file which launches the parcer app and gets the command switches to run except I am getting this error message:

Error: Syntax Error: extra token(s) after query: 'into'

Thoughts?
0
 
LVL 9

Author Comment

by:samiam41
ID: 33612514
Quick snapshot of the script
cd\

cd "c:\program files\log parser 2.2"

logparser -i:evt -o:csv "SELECT EventLog, RecordNumber, TimeGenerated, EventID,EventType, EventTypeName, EventCategory, SourceName,ComputerName, Message FROM Application where TimeGenerated > '2010-07-06 00:00:00' into test.csv"  

pause

Open in new window

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 9

Author Comment

by:samiam41
ID: 33612546
Got it!

Made a quick change to your command (see below):
logparser -i:evt -o:csv "SELECT EventLog, RecordNumber,
TimeGenerated, EventID,
EventType, EventTypeName, EventCategory, SourceName,
ComputerName, Message into test.csv FROM Application where TimeGenerated > '2010-07-06 00:00:00'"

cd\

cd "c:\program files\log parser 2.2"

logparser -i:evt -o:csv "SELECT EventLog, RecordNumber, TimeGenerated, EventID,EventType, EventTypeName, EventCategory, SourceName, ComputerName, Message INTO test.csv FROM Application where TimeGenerated > '2010-07-06 00:00:00'"  

Open in new window

0
 
LVL 9

Author Comment

by:samiam41
ID: 33612552
my ref:  http://technet.microsoft.com/en-us/library/ee692659.aspx

C:\>LogParser "SELECT TimeGenerated, SourceName,
EventCategoryName, Message INTO report.txt FROM Security WHERE
EventID = 528 AND SID LIKE '%TESTUSER%'" -resolveSIDs:ON

Thanks for your help!!
0
 
LVL 9

Author Comment

by:samiam41
ID: 33612596
@erik, if you copy/paste what I put in 33612546 into a new comment, I can accept your answer and award points.
0
 
LVL 4

Accepted Solution

by:
erik_nodland earned 500 total points
ID: 33612756
Ahh yes sorry. I should have tested it out first. Glad you got it all going.

Made a quick change to your command (see below):

logparser -i:evt -o:csv "SELECT EventLog, RecordNumber,
TimeGenerated, EventID,
EventType, EventTypeName, EventCategory, SourceName,
ComputerName, Message into test.csv FROM Application where TimeGenerated > '2010-07-06 00:00:00'"

Cheers

Erik
0
 
LVL 9

Author Closing Comment

by:samiam41
ID: 33612769
Thanks for the help!!  Hope to work with you again!

-Aaron
0
 
LVL 51

Expert Comment

by:Bill Prew
ID: 33612860
Another tool you could look at for this job:

http://technet.microsoft.com/en-us/sysinternals/bb897544.aspx

~bp
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

One of the features I've come to appreciate about Windows 7 and Windows Server 2008 R2 is the ability to pin applications to the task bar. As useful a feature as I've found this, it does have some quirks.  For example, have you ever tried pinning an…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now