asked on

Logparser 2.2 against Exchange 2010 RCA Logs

Exchange Server 2010 SP3 RU 8 Enterprise 64 Bit
Logparser 2.2
Windows 2008 R2 Server 64bit

rem @echo off

del clientip.txt

"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT Extract_Suffix(client-name,0,'=') as User,client-name as DN,client-software,client-software-version as Version,client-mode,client-ip,protocol from D:\Progra~1\Microsoft\Exchan~1\V14\Logging\RPC Client Access\RCA*.log WHERE (operation='Connect') GROUP BY User,DN,client-software,Version,client-mode,client-ip,protocol ORDER BY User" -i:CSV -nSkipLines:4 -o:CSV >c:\util\clientIp.txt

Open in new window

Results fail

C:\Util>clientip

C:\Util>rem @echo off

C:\Util>del clientip.txt

C:\Util>"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT Extract_Su
ffix(client-name,0,'=') as User,client-name as DN,client-software,client-softwar
e-version as Version,client-mode,client-ip,protocol from D:\Progra~1\Microsoft\E
xchan~1\V14\Logging\RPC Client Access\RCA*.log WHERE (operation='Connect') GROUP
BY User,DN,client-software,Version,client-mode,client-ip,protocol ORDER BY User
" -i:CSV -nSkipLines:4 -o:CSV 1>c:\util\clientIp.txt
Error: Syntax Error: extra token(s) after query: 'Client'
C:\Util>cd\util

C:\Util>Pause
Press any key to continue . . .
Terminate batch job (Y/N)? y

C:\Util>

Is my code correct?
Thoughts?

ASKER CERTIFIED SOLUTION

NVIT

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Member_2_6492660_1

ASKER

Yes this is my first attempt

on Exchange 2007 you got this information from this command
get-logonstatistics myuser | sort-object clientipaddress | format-table username,clientipaddress,logontime,clientversion >c:\util\logon.txt

Now on Exchange 2010 that does not exist so I am trying to replicate the same report using logparser

DIR /X D:\Progra~1\Microsoft\Exchan~1\V14\Logging\RPC* gives the same name I am using

RPC Client Access

Member_2_6492660_1

ASKER

Hi

Any thoughts on this?

NVIT

As I mentioned, try a reduced version to track down this cause. Maybe something like:
"SELECT * from D:\Progra~1\Microsoft\Exchan~1\V14\Logging\RPC Client Access\RCA*.log" -i:CSV -nSkipLines:4 -o:CSV

If that works, build up:
"SELECT Extract_Suffix(client-name,0,'=') as User from D:\Progra~1\Microsoft\Exchan~1\V14\Logging\RPC Client Access\RCA*.log" -i:CSV -nSkipLines:4 -o:CSV

Etc...

Member_2_6492660_1

ASKER

NewVillageIT

I figured it out It was

@echo off

del clientip.txt

"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT Extract_Suffix(client-name,0,'=') as User,client-name as DN,client-software,client-software-version as Version,client-mode,client-ip,protocol from 'D:\Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access\RCA*.log' WHERE (operation='Connect') GROUP BY User,DN,client-software,Version,client-mode,client-ip,protocol ORDER BY User" -i:CSV -nSkipLines:4 -o:CSV >c:\util\clientIp.txt

cd\util

Open in new window

Had to change
D:\Progra~1\Microsoft\Exchan~1\V14\Logging\RPC Client Access\RCA*.log

To
'D:\Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access\RCA*.log'

Now it runs

NVIT

Awesome! Glad you got it working...

Member_2_6492660_1

ASKER

That lead me to the solution.

Just needed a little time to look over the code.

Thanks for your help

You have any knowledge about receive connectors?

I have an open questions on that subject if you can help with that one here it is

https://www.experts-exchange.com/questions/28609455/ReceiveConnectors-on-Exchange-2010-Help-needed.html

Thanks again