wevtutil return specific userdata elements

Posted on 2011-03-09
Last Modified: 2012-05-11
I am trying to query the event log of our dedicated redirect server of our Terminal Server Farm so I can obtain the username and IP address of the client connecting to our system.

So far I have the following syntax to dump the entire contents of the logs to a text file. Unfortunately there is just too much data to work with in the resulting file.

wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational |findstr EventID^>1149 >Client_IP.txt

The only data I want returned is the following two elements for each line(so I can quickly import into a database):
 <Param1>client-username</Param1> <Param3>client-WAN-IP</Param3>

Prior to today I have never used wevtutil so I find myself at the mercy of the MS documentation which is lacking.

Can someone help me determine the exact syntax to generate a log file with just the two parameters on a single line for each instance of that event ID (1149).

Thank you,
Steve Signorelli
Question by:ssignorelli
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 74

Expert Comment

by:Glen Knight
ID: 35178845
I have just had a good look at the sytax selector and there doesn't seem to be any way to specify the fields you want to export, I would suggest this is not possible.
LVL 70

Expert Comment

ID: 35411128
Could you provide us with an example output? wevutil seems not to have the capabilies, but we might get cmd.exe or PowerShell involved here; the latter being a much better means to process the eventlog entries.

Author Comment

ID: 35733793
I ended up importing the output of the wevtutil into filemaker and parsing the data that way. I was hoping to find a way to do it using VBS/batch/powershell but no one ever offered guidance on doing so. just one guy asked for the sample output after I had already gotten it working in filemaker.

I was really hoping for a better response from the community. oh well.
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

LVL 70

Expert Comment

ID: 35733894
I was really hoping from a response by you. You need to actively work with the experts. I asked you for a sample output, which you never provided. What do you expect then?

Author Comment

ID: 35734098
I know I need to actively work with the people trying to help, but the fact is it took over a month to get to such a point and I had already found another work around.

Original post: 03/09/11 04:50 PM
Response: 04/17/11 07:18 AM

I do expect someone to try the syntax I provided to obtain the output since I spent the time to include it in the first place for that exact reason.

Ref original post: "Syntax:
wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational |findstr EventID^>1149 >Client_IP.txt"

Just note that I paid for this service and spent the time to formulate a well thought out question and tried to tag it accordingly so I did not have to baby sit the process. I have more on my plate then you could ever imagine and the last thing I need is another job of babysitting this process.

I appreciate your individual concern but will just chock this one up to a miss.

If you still have an interest in helping I am now including the sample output from the syntax included in the original question:
"<Event xmlns=''><System><Provider Name='Microsoft-Windows-TerminalServices-RemoteConnectionManager' Guid='{C76BAA63-AE81-421C-B425-340B4B24157F}'/><EventID>1149</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x1000000000000000</Keywords><TimeCreated SystemTime='2011-03-09T05:13:59.143749600Z'/><EventRecordID>699426</EventRecordID><Correlation/><Execution ProcessID='1892' ThreadID='5624'/><Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel><Computer></Computer><Security UserID='S-1-5-20'/></System><UserData><EventXML xmlns:auto-ns2='' xmlns='Event_NS'><Param1>ssignorelli</Param1><Param2>INTERNET</Param2><Param3></Param3></EventXML></UserData></Event>"
LVL 70

Expert Comment

ID: 35736028
The reason it took me one month to answer is that I came across this question by doing cleanup. And thought though demazter is correct, there might be workarounds.
As a side note, the typical action as Cleanup Volunteer would have been to accept demazter's answer.
LVL 70

Accepted Solution

Qlemo earned 500 total points
ID: 35740873
I guess this PowerShell script could give you a good starting point:
$evt = (wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational | select-string "EventID>1149")
write-host ($evt -split "<param1>" -split "</param1>")[1] ($evt -split "<param3>" -split "</param3>")[1]

Open in new window

It will just output the two fields you want to see, without HTML/XML tags:

Open in new window


Author Comment

ID: 35747991
This is EXACTLY what I was looking for. Please remove the auto-close so I may award you the 500 points. Thank you again!
LVL 70

Expert Comment

ID: 35748051
By posting an objection, you are now able to accept answers again.

Author Closing Comment

ID: 35748554
This is EXACTLY what I was looking for. Thank you!

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question