I'm using JScript to execute a query on Security event logs, and use the following lines to resolve the SID's (taken from the Log Parser Help file):
//Create EventLog input format
var objEventLogInputFormat = new ActiveXObject( "MSUtil.LogQuery.EventLogInputFormat" );
// Resolve SIDs
objEventLogInputFormat.resolveSIDs = true;
However, this does not work, since the SID in my output is not resolved. I use the followinq query:
SELECT RecordNumber, SourceName, TimeGenerated, SID, ComputerName, EXTRACT_TOKEN(Strings, 13, '|') as SourceNetworkAddress, Message FROM R:\temp\LogQueryWorkDir\Security.2008-07-02-16-50-42.evt WHERE eventID = 528 ORDER BY RecordNumber, TimeGenerated
And the output , which I generate with the toNativeString method, still shows the SID unresolved I removed everything after the SID for safety):
7, Security, 2008-07-02 10:16:22, S-1-5-21-2046926873-3586635073-1646930892-2756, ......
Also, a WHERE clause on the SID only works with the numerical SID.
So it seems that setting the property resolveSIDs to true does not work. Setting it to "ON" is not allowed by JScript. Has this problem already been solved in any way, or is there a workaround ?