Solved

wevtutil return specific userdata elements

Posted on 2011-03-09
14
2,749 Views
Last Modified: 2012-05-11
I am trying to query the event log of our dedicated redirect server of our Terminal Server Farm so I can obtain the username and IP address of the client connecting to our system.

So far I have the following syntax to dump the entire contents of the logs to a text file. Unfortunately there is just too much data to work with in the resulting file.

Syntax:
wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational |findstr EventID^>1149 >Client_IP.txt

The only data I want returned is the following two elements for each line(so I can quickly import into a database):
 <Param1>client-username</Param1> <Param3>client-WAN-IP</Param3>

Prior to today I have never used wevtutil so I find myself at the mercy of the MS documentation which is lacking.

Can someone help me determine the exact syntax to generate a log file with just the two parameters on a single line for each instance of that event ID (1149).

Thank you,
Steve Signorelli
0
Comment
Question by:ssignorelli
  • 5
  • 4
14 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35178845
I have just had a good look at the sytax selector and there doesn't seem to be any way to specify the fields you want to export, I would suggest this is not possible.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 35411128
Could you provide us with an example output? wevutil seems not to have the capabilies, but we might get cmd.exe or PowerShell involved here; the latter being a much better means to process the eventlog entries.
0
 

Author Comment

by:ssignorelli
ID: 35733793
I ended up importing the output of the wevtutil into filemaker and parsing the data that way. I was hoping to find a way to do it using VBS/batch/powershell but no one ever offered guidance on doing so. just one guy asked for the sample output after I had already gotten it working in filemaker.

I was really hoping for a better response from the community. oh well.
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 69

Expert Comment

by:Qlemo
ID: 35733894
I was really hoping from a response by you. You need to actively work with the experts. I asked you for a sample output, which you never provided. What do you expect then?
0
 

Author Comment

by:ssignorelli
ID: 35734098
I know I need to actively work with the people trying to help, but the fact is it took over a month to get to such a point and I had already found another work around.

Original post: 03/09/11 04:50 PM
Response: 04/17/11 07:18 AM

I do expect someone to try the syntax I provided to obtain the output since I spent the time to include it in the first place for that exact reason.

Ref original post: "Syntax:
wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational |findstr EventID^>1149 >Client_IP.txt"

Just note that I paid for this service and spent the time to formulate a well thought out question and tried to tag it accordingly so I did not have to baby sit the process. I have more on my plate then you could ever imagine and the last thing I need is another job of babysitting this process.

I appreciate your individual concern but will just chock this one up to a miss.

If you still have an interest in helping I am now including the sample output from the syntax included in the original question:
"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-TerminalServices-RemoteConnectionManager' Guid='{C76BAA63-AE81-421C-B425-340B4B24157F}'/><EventID>1149</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x1000000000000000</Keywords><TimeCreated SystemTime='2011-03-09T05:13:59.143749600Z'/><EventRecordID>699426</EventRecordID><Correlation/><Execution ProcessID='1892' ThreadID='5624'/><Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel><Computer>SERVER.MYDOMAIN.com</Computer><Security UserID='S-1-5-20'/></System><UserData><EventXML xmlns:auto-ns2='http://schemas.microsoft.com/win/2004/08/events' xmlns='Event_NS'><Param1>ssignorelli</Param1><Param2>INTERNET</Param2><Param3>77.185.103.189</Param3></EventXML></UserData></Event>"
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 35736028
The reason it took me one month to answer is that I came across this question by doing cleanup. And thought though demazter is correct, there might be workarounds.
As a side note, the typical action as Cleanup Volunteer would have been to accept demazter's answer.
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 35740873
I guess this PowerShell script could give you a good starting point:
$evt = (wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational | select-string "EventID>1149")
write-host ($evt -split "<param1>" -split "</param1>")[1] ($evt -split "<param3>" -split "</param3>")[1]

Open in new window

It will just output the two fields you want to see, without HTML/XML tags:
ssignorelli 77.185.103.189

Open in new window

0
 

Author Comment

by:ssignorelli
ID: 35747991
This is EXACTLY what I was looking for. Please remove the auto-close so I may award you the 500 points. Thank you again!
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 35748051
By posting an objection, you are now able to accept answers again.
0
 

Author Closing Comment

by:ssignorelli
ID: 35748554
This is EXACTLY what I was looking for. Thank you!
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question