Solved

wevtutil return specific userdata elements

Posted on 2011-03-09
14
2,715 Views
Last Modified: 2012-05-11
I am trying to query the event log of our dedicated redirect server of our Terminal Server Farm so I can obtain the username and IP address of the client connecting to our system.

So far I have the following syntax to dump the entire contents of the logs to a text file. Unfortunately there is just too much data to work with in the resulting file.

Syntax:
wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational |findstr EventID^>1149 >Client_IP.txt

The only data I want returned is the following two elements for each line(so I can quickly import into a database):
 <Param1>client-username</Param1> <Param3>client-WAN-IP</Param3>

Prior to today I have never used wevtutil so I find myself at the mercy of the MS documentation which is lacking.

Can someone help me determine the exact syntax to generate a log file with just the two parameters on a single line for each instance of that event ID (1149).

Thank you,
Steve Signorelli
0
Comment
Question by:ssignorelli
  • 5
  • 4
14 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35178845
I have just had a good look at the sytax selector and there doesn't seem to be any way to specify the fields you want to export, I would suggest this is not possible.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35411128
Could you provide us with an example output? wevutil seems not to have the capabilies, but we might get cmd.exe or PowerShell involved here; the latter being a much better means to process the eventlog entries.
0
 

Author Comment

by:ssignorelli
ID: 35733793
I ended up importing the output of the wevtutil into filemaker and parsing the data that way. I was hoping to find a way to do it using VBS/batch/powershell but no one ever offered guidance on doing so. just one guy asked for the sample output after I had already gotten it working in filemaker.

I was really hoping for a better response from the community. oh well.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35733894
I was really hoping from a response by you. You need to actively work with the experts. I asked you for a sample output, which you never provided. What do you expect then?
0
 

Author Comment

by:ssignorelli
ID: 35734098
I know I need to actively work with the people trying to help, but the fact is it took over a month to get to such a point and I had already found another work around.

Original post: 03/09/11 04:50 PM
Response: 04/17/11 07:18 AM

I do expect someone to try the syntax I provided to obtain the output since I spent the time to include it in the first place for that exact reason.

Ref original post: "Syntax:
wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational |findstr EventID^>1149 >Client_IP.txt"

Just note that I paid for this service and spent the time to formulate a well thought out question and tried to tag it accordingly so I did not have to baby sit the process. I have more on my plate then you could ever imagine and the last thing I need is another job of babysitting this process.

I appreciate your individual concern but will just chock this one up to a miss.

If you still have an interest in helping I am now including the sample output from the syntax included in the original question:
"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-TerminalServices-RemoteConnectionManager' Guid='{C76BAA63-AE81-421C-B425-340B4B24157F}'/><EventID>1149</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x1000000000000000</Keywords><TimeCreated SystemTime='2011-03-09T05:13:59.143749600Z'/><EventRecordID>699426</EventRecordID><Correlation/><Execution ProcessID='1892' ThreadID='5624'/><Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel><Computer>SERVER.MYDOMAIN.com</Computer><Security UserID='S-1-5-20'/></System><UserData><EventXML xmlns:auto-ns2='http://schemas.microsoft.com/win/2004/08/events' xmlns='Event_NS'><Param1>ssignorelli</Param1><Param2>INTERNET</Param2><Param3>77.185.103.189</Param3></EventXML></UserData></Event>"
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 68

Expert Comment

by:Qlemo
ID: 35736028
The reason it took me one month to answer is that I came across this question by doing cleanup. And thought though demazter is correct, there might be workarounds.
As a side note, the typical action as Cleanup Volunteer would have been to accept demazter's answer.
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 35740873
I guess this PowerShell script could give you a good starting point:
$evt = (wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational | select-string "EventID>1149")
write-host ($evt -split "<param1>" -split "</param1>")[1] ($evt -split "<param3>" -split "</param3>")[1]

Open in new window

It will just output the two fields you want to see, without HTML/XML tags:
ssignorelli 77.185.103.189

Open in new window

0
 

Author Comment

by:ssignorelli
ID: 35747991
This is EXACTLY what I was looking for. Please remove the auto-close so I may award you the 500 points. Thank you again!
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35748051
By posting an objection, you are now able to accept answers again.
0
 

Author Closing Comment

by:ssignorelli
ID: 35748554
This is EXACTLY what I was looking for. Thank you!
0

Featured Post

Are your end users making ugly email signatures?

Have you left it up to your end users to create their own email signatures? Are they forgetting to add the company logo or using garish font colors? Take control and ensure all users have the same email signature.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Gmail Account risks 4 74
Super Scope, DHCP 5 50
Cisco ASDM device NT domain question 4 30
Way to setup network drive share permanently mapped to server 3 44
One of the most frustrating experiences a help desk technician will ever encounter is when a customer comes to them with a solution of their own invention and expects the tech to implement it. This often happens when people with a little bit of tech…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now