I am trying to establish a procedure to extract information from the event logs to use in an analysis tool called Sawmill. I can get this command to work without the RESOLVE_SID(SID) as Username, but I would like to get usernames included.
C:\Program Files\Log Parser 2.2>logparser "SELECT *, RESOLVE_SID(SID) as Username INTO D:\sys.csv FROM D:\sys.evt" -i:EVT -o:CSV
The above command completes, but does not resolve the SID to username.
Any ideas?