Solved

wevtutil return specific userdata elements

Posted on 2011-03-09
14
2,730 Views
Last Modified: 2012-05-11
I am trying to query the event log of our dedicated redirect server of our Terminal Server Farm so I can obtain the username and IP address of the client connecting to our system.

So far I have the following syntax to dump the entire contents of the logs to a text file. Unfortunately there is just too much data to work with in the resulting file.

Syntax:
wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational |findstr EventID^>1149 >Client_IP.txt

The only data I want returned is the following two elements for each line(so I can quickly import into a database):
 <Param1>client-username</Param1> <Param3>client-WAN-IP</Param3>

Prior to today I have never used wevtutil so I find myself at the mercy of the MS documentation which is lacking.

Can someone help me determine the exact syntax to generate a log file with just the two parameters on a single line for each instance of that event ID (1149).

Thank you,
Steve Signorelli
0
Comment
Question by:ssignorelli
  • 5
  • 4
14 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35178845
I have just had a good look at the sytax selector and there doesn't seem to be any way to specify the fields you want to export, I would suggest this is not possible.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 35411128
Could you provide us with an example output? wevutil seems not to have the capabilies, but we might get cmd.exe or PowerShell involved here; the latter being a much better means to process the eventlog entries.
0
 

Author Comment

by:ssignorelli
ID: 35733793
I ended up importing the output of the wevtutil into filemaker and parsing the data that way. I was hoping to find a way to do it using VBS/batch/powershell but no one ever offered guidance on doing so. just one guy asked for the sample output after I had already gotten it working in filemaker.

I was really hoping for a better response from the community. oh well.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 69

Expert Comment

by:Qlemo
ID: 35733894
I was really hoping from a response by you. You need to actively work with the experts. I asked you for a sample output, which you never provided. What do you expect then?
0
 

Author Comment

by:ssignorelli
ID: 35734098
I know I need to actively work with the people trying to help, but the fact is it took over a month to get to such a point and I had already found another work around.

Original post: 03/09/11 04:50 PM
Response: 04/17/11 07:18 AM

I do expect someone to try the syntax I provided to obtain the output since I spent the time to include it in the first place for that exact reason.

Ref original post: "Syntax:
wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational |findstr EventID^>1149 >Client_IP.txt"

Just note that I paid for this service and spent the time to formulate a well thought out question and tried to tag it accordingly so I did not have to baby sit the process. I have more on my plate then you could ever imagine and the last thing I need is another job of babysitting this process.

I appreciate your individual concern but will just chock this one up to a miss.

If you still have an interest in helping I am now including the sample output from the syntax included in the original question:
"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-TerminalServices-RemoteConnectionManager' Guid='{C76BAA63-AE81-421C-B425-340B4B24157F}'/><EventID>1149</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x1000000000000000</Keywords><TimeCreated SystemTime='2011-03-09T05:13:59.143749600Z'/><EventRecordID>699426</EventRecordID><Correlation/><Execution ProcessID='1892' ThreadID='5624'/><Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel><Computer>SERVER.MYDOMAIN.com</Computer><Security UserID='S-1-5-20'/></System><UserData><EventXML xmlns:auto-ns2='http://schemas.microsoft.com/win/2004/08/events' xmlns='Event_NS'><Param1>ssignorelli</Param1><Param2>INTERNET</Param2><Param3>77.185.103.189</Param3></EventXML></UserData></Event>"
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 35736028
The reason it took me one month to answer is that I came across this question by doing cleanup. And thought though demazter is correct, there might be workarounds.
As a side note, the typical action as Cleanup Volunteer would have been to accept demazter's answer.
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 35740873
I guess this PowerShell script could give you a good starting point:
$evt = (wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational | select-string "EventID>1149")
write-host ($evt -split "<param1>" -split "</param1>")[1] ($evt -split "<param3>" -split "</param3>")[1]

Open in new window

It will just output the two fields you want to see, without HTML/XML tags:
ssignorelli 77.185.103.189

Open in new window

0
 

Author Comment

by:ssignorelli
ID: 35747991
This is EXACTLY what I was looking for. Please remove the auto-close so I may award you the 500 points. Thank you again!
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 35748051
By posting an objection, you are now able to accept answers again.
0
 

Author Closing Comment

by:ssignorelli
ID: 35748554
This is EXACTLY what I was looking for. Thank you!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Note: This is the second blog post in a series on email clearinghouses (https://www.xmatters.com/alert-management/blog-email-has-failed-us?utm_campaign=70138000000ydLoAAI&utm_source=exex&utm_medium=article&utm_content=blog-post).   Every month t…
Learn how ViaSat reduced average response times for IT incidents from 10 minutes to 30 seconds.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question