Search results matching tag 'EVT input format'

Prining

hg363 — Thu, 22 Oct 2009 21:50:45 GMT

Hi to all forum members.

Is there an SQL script in existance or can one be configured that when executed with Log Parser would show which printers a client printed to from a MS Windows XP Pro PC?

And if this is possible can the script then be inflated to show what dates the print jobs were sent to the printers and if possible the print job name and how many pages?

If some one could kindly show me how this can be done, it would be most helpful, regards HG363 UK London

Event logs Parsing issue

mritorto — Wed, 07 Oct 2009 13:03:44 GMT

Guys,

Here is my issue I have a batch job that runs log parser to collect the event logs from my servers and dumps the info into an excel spreadsheet.

Some times it works perfectly and some times it does not. The record titles like computername or timegenerated some times show up in the spreadsheet and other times it does not not.

Any idea why. I do have other batch files that run thru out the day looking the servers for specfic event log error messages like account lockouts but the one listed below only runs once per day.

I even run it from a different machine and I get the same results

Any help would be appreciated.

for /f %%i in (servers.txt) do logparser "select distinct timegenerated,EventID,EventTypeName,Strings,ComputerName,Message into eventlogs.csv from \\%%i\application where eventtypename like 'error event' and timegenerated >= to_localtime (sub(system_timestamp(), timestamp ('23','hh') ) ) order by timegenerated " -i:evt -o:csv -filemode:0

Logparser 2.2

rlawson — Mon, 27 Apr 2009 15:12:52 GMT

If logparser 2.2 compatible with windows 2008/64bit? to see security .evt logs

I I am using logparser 2.2 and it was working perfect until the domain controllers were upgraded to windows 2008 64bit, now I get a file is corrupt.

Need help

Thanks

EVT Log Corrupted or Being Used By Another Process

hullflyer — Thu, 26 Jun 2008 18:35:59 GMT

Relatively new to log parser (v 2.2). Have ASP pages running fine to query IIS web logs. Now trying to get one to report on Event logs, but can't figure out how to get around access errors. When I set the path to the actual event log file, I get:

CLogQueryClass error '80070020' [The process cannot access the file because it is being used by another process.]

The script that results in that error (vbscript in asp page):

pathVar = "c:\WINDOWS\system32\config\SysEvent.evt"
fileQry = "SELECT * FROM "&pathVar
set logQuery = server.createobject("MSUtil.LogQuery")
set EVT = Server.CreateObject("MSUtil.LogQuery.EventLogInputFormat")
set recordSet = logQuery.Execute(fileQry,EVT)

I made sure the pathVar is right and I set permissions on that folder to allow everyone full control, and it still gives the same error. So, thinking that it's a file sharing violation, I set up a script to copy that file to a new one in the same folder. Now that gives a new error:

CLogQueryClass error '800705dc' [The event log file is corrupted.]

The script that results in this new error is:

pathVar = "c:\WINDOWS\system32\config\SysEvent.evt"
dim fso
set fso = server.createobject("Scripting.FileSystemObject")
dim txtPath
txtPath = "C:\WINDOWS\system32\config\MyEvent2.evt"
fso.CopyFile pathVar,txtPath
fileQry = "SELECT * FROM '"&txtPath&"' '"
set logQuery = server.createobject("MSUtil.LogQuery")
set EVT = Server.CreateObject("MSUtil.LogQuery.EventLogInputFormat")
set recordSet = logQuery.Execute(fileQry,EVT)

I double checked and I can open that original event log in the WMI Event Viewer just fine, so the original file being copied appears to be good. The new file MyEvent2.evt is there and the same size as the original.

Both errors are the same regardless of which event log file I specify.

There is surprisingly little in the book or on the web about webifying log parser, especially in vbscript. Any ideas what I'm doing wrong? Is there a different input format I s/b using for asp?

WinXP (no Eng, eg DE-DE ) localized event logs

Milano — Tue, 25 Mar 2008 20:59:21 GMT

Does logparser support localized event logs? If so, is there anything special needs to be done to get this going?

Thanks!

RE: Querying for a date

LogParser User : dssbob — Mon, 18 Jun 2007 11:14:00 GMT

Ok...say my normal operating hours are 9am-5pm.

How would I write a query to look for logons outside of that time period?

I know how to look within that timeframe, but cant figure out how to look outside of that timeframe.

Thanks

RE: Querying for a date

LogParser User : dssbob — Fri, 15 Jun 2007 16:47:00 GMT

I switched to the new version and its working great...Thanks!

RE: Querying for a date

LogParser User : José Gisbert — Thu, 14 Jun 2007 22:24:00 GMT

I probe (copy & paste) your post and works fine with Logparser v2.2.10 , which version have you?

RE: Querying for a date

LogParser User : dssbob — Thu, 14 Jun 2007 10:48:00 GMT

I have tried that:

LogParser.exe "select EventID, TimeGenerated, Message, ComputerName, RESOLVE_SID(SID) as Username from C:\Log_Files\2007_6_13\evt\SecEvent_20070613_07.Evt TO TEST.html WHERE TimeGenerated BETWEEN TO_TIMESTAMP('2007-06-08 00:00:01', 'yyyy-MM-dd hh:mm:ss') AND TO_TIMESTAMP('2007-06-08 23:59:59', 'yyyy-MM-dd hh:mm:ss')" -i:EVT -o:TPL -tpl:LogParserTemplate.txt

and keep getting this error :

Syntax error: <tern2>: 'BETWEEN' is not a vailid operator

Any ideas?

Thanks

Parse by username

LogParser User : dssbob — Thu, 07 Jun 2007 18:26:00 GMT

Is there anyway to just grab all events in the Security log that are generated by a specific user?

Thanks