Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


wevtutil return specific userdata elements

Posted on 2011-03-09
Medium Priority
Last Modified: 2012-05-11
I am trying to query the event log of our dedicated redirect server of our Terminal Server Farm so I can obtain the username and IP address of the client connecting to our system.

So far I have the following syntax to dump the entire contents of the logs to a text file. Unfortunately there is just too much data to work with in the resulting file.

wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational |findstr EventID^>1149 >Client_IP.txt

The only data I want returned is the following two elements for each line(so I can quickly import into a database):
 <Param1>client-username</Param1> <Param3>client-WAN-IP</Param3>

Prior to today I have never used wevtutil so I find myself at the mercy of the MS documentation which is lacking.

Can someone help me determine the exact syntax to generate a log file with just the two parameters on a single line for each instance of that event ID (1149).

Thank you,
Steve Signorelli
Question by:ssignorelli
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 74

Expert Comment

by:Glen Knight
ID: 35178845
I have just had a good look at the sytax selector and there doesn't seem to be any way to specify the fields you want to export, I would suggest this is not possible.
LVL 71

Expert Comment

ID: 35411128
Could you provide us with an example output? wevutil seems not to have the capabilies, but we might get cmd.exe or PowerShell involved here; the latter being a much better means to process the eventlog entries.

Author Comment

ID: 35733793
I ended up importing the output of the wevtutil into filemaker and parsing the data that way. I was hoping to find a way to do it using VBS/batch/powershell but no one ever offered guidance on doing so. just one guy asked for the sample output after I had already gotten it working in filemaker.

I was really hoping for a better response from the community. oh well.
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

LVL 71

Expert Comment

ID: 35733894
I was really hoping from a response by you. You need to actively work with the experts. I asked you for a sample output, which you never provided. What do you expect then?

Author Comment

ID: 35734098
I know I need to actively work with the people trying to help, but the fact is it took over a month to get to such a point and I had already found another work around.

Original post: 03/09/11 04:50 PM
Response: 04/17/11 07:18 AM

I do expect someone to try the syntax I provided to obtain the output since I spent the time to include it in the first place for that exact reason.

Ref original post: "Syntax:
wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational |findstr EventID^>1149 >Client_IP.txt"

Just note that I paid for this service and spent the time to formulate a well thought out question and tried to tag it accordingly so I did not have to baby sit the process. I have more on my plate then you could ever imagine and the last thing I need is another job of babysitting this process.

I appreciate your individual concern but will just chock this one up to a miss.

If you still have an interest in helping I am now including the sample output from the syntax included in the original question:
"<Event xmlns=''><System><Provider Name='Microsoft-Windows-TerminalServices-RemoteConnectionManager' Guid='{C76BAA63-AE81-421C-B425-340B4B24157F}'/><EventID>1149</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x1000000000000000</Keywords><TimeCreated SystemTime='2011-03-09T05:13:59.143749600Z'/><EventRecordID>699426</EventRecordID><Correlation/><Execution ProcessID='1892' ThreadID='5624'/><Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel><Computer></Computer><Security UserID='S-1-5-20'/></System><UserData><EventXML xmlns:auto-ns2='' xmlns='Event_NS'><Param1>ssignorelli</Param1><Param2>INTERNET</Param2><Param3></Param3></EventXML></UserData></Event>"
LVL 71

Expert Comment

ID: 35736028
The reason it took me one month to answer is that I came across this question by doing cleanup. And thought though demazter is correct, there might be workarounds.
As a side note, the typical action as Cleanup Volunteer would have been to accept demazter's answer.
LVL 71

Accepted Solution

Qlemo earned 2000 total points
ID: 35740873
I guess this PowerShell script could give you a good starting point:
$evt = (wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational | select-string "EventID>1149")
write-host ($evt -split "<param1>" -split "</param1>")[1] ($evt -split "<param3>" -split "</param3>")[1]

Open in new window

It will just output the two fields you want to see, without HTML/XML tags:

Open in new window


Author Comment

ID: 35747991
This is EXACTLY what I was looking for. Please remove the auto-close so I may award you the 500 points. Thank you again!
LVL 71

Expert Comment

ID: 35748051
By posting an objection, you are now able to accept answers again.

Author Closing Comment

ID: 35748554
This is EXACTLY what I was looking for. Thank you!

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we’ll look at how to deploy ProxySQL.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question