« Previous Next »

• 11-03-2008, 12:39 PM

  wonderboyme Joined on 11-03-2008, 5:29 PM Posts 3

  Can we parse Event description (Message) into only what we want? RESOLVED!!! Reply Contact Hi Everyone!   I'm newer to Log Parser and have been wracking my fingers over this.  I'm looking to parse Windows Event Log files and I'm hoping to find a method using Log Parser that allows me to customize (filter/parse) the Message field in the output file generated. For example, if I want logon records 528 I use: "SELECT Message INTO report.csv FROM SecEvent.Evt WHERE EventID=528"  But I don't want everything in the description field for the record.  I only want: time generated, user name and domain.  So I modify my command to: "SELECT TimeGenerated, EXTRACT_TOKEN(Strings, 0, '|')AS UserName, EXTRACT_TOKEN(Strings, 1, '|')AS Domain INTO report.csv FROM SecEvent.Evt WHERE EventID=528"  The above gives me my CSV file with the time generated, the user account and domain.  But the key piece of information I want is the first line of the Message (description) field in the event record: that of "Successful Logon:". Thus far I have not found a way to parse the Message field to pull this first line.  0 is for the user name, 1 for the domain, 2 for the logon ID, etc., in the Security event log.   Is there a way to use Log Parser to parse the Message field in the event log to pull this "first" line?  I quote first because it's the very first line of text displayed in the event viewer event properties window, followed by the user name, domain, etc.   Currently I'm outputting the entire Message field to a CSV file, then using OpenOffice to find and replace all the information I don't want.  Not slow, but would like to know if Log Parser can write out what I want and only what I want. Has anyone ideas or know how to get that first bit of information from the Message (description) field of event logs using Log Parser (along with the other two fields (strings) I'm interested in?  Cheers!   LT

• 11-04-2008, 4:07 AM

  In reply to

  qbernard Joined on 03-26-2003, 2:12 AM Malaysia Posts 3,238

  Re: Can we parse Event description (Message) into only what we want? Reply Contact Try - C:\Program Files\IIS Resources\Log Parser>LogParser.exe -i:evt "select top 3 Ti meGenerated as Time, Extract_Token(Extract_Token(Message,2,':'),0,'Domain') As U sername, Extract_Token(Extract_Token(Message,3,':'),0,'Logon') as Domain from se curity where EventID=528" Time               Username          Domain ------------------ ----------------- -------------- 9/22/2008 16:42:39  NETWORK SERVICE   NT AUTHORITY 9/22/2008 17:25:27  alisa         MyDomain 9/22/2008 17:33:28  NETWORK SERVICE   NT AUTHORITY You can further fine tune the script per your need. Cheers, Bernard Cheah

• 11-04-2008, 10:21 AM

  In reply to

  wonderboyme Joined on 11-03-2008, 5:29 PM Posts 3

  Re: Can we parse Event description (Message) into only what we want? Reply Contact  Thank you Bernard.    Unfortunately your assistance doesn't provide me what I want.  Or, I'm unable to fine tune what you have provided to get what I want.    I am familiar with EXTRACT_TOKEN and can get TimeGenerated, and other STRINGS from the Message for each security event record.   What I am unable to get is the very first line that appears in the event record for EventID 528 and 538.  And that first line is: Successful Logon:   for 528 User Logoff:  for 538 Both of these are from SecEvent.Evt log file.  I'd like to get only this information, the words before the ":" I was (am) hoping to parse the Message field to get this very first line, and then the "User Name" and "Domain" sections as well.  I can get these latter ones with the EXTRACT_TOKEN Strings feature within Log Parser. Is there any way to get that very first line, and only that first line, of each event record?   Cheers!   LT

• 11-04-2008, 10:56 AM

  In reply to

  wonderboyme Joined on 11-03-2008, 5:29 PM Posts 3

  Re: Can we parse Event description (Message) into only what we want? Reply Contact  Thank you Bernard!  Taking your example and playing with it I am able to finally achieve what I want as shown below.  I have put my example here because I very much appreciate your assistance and for anyone else who is looking to get what I was after they now can do so  :) Cheers! -LT   logparser -i:evt "SELECT TimeGenerated AS [Date & Time], Extract_Token(Extract_Token(Message,0,':'),0,'Description') A S [Event Description], Extract_Token(Extract_Token(Message,2,':'),0,'Domain') AS [User Name], Extract_Token(Extract_Token(Message,3,':'),0,'Logon') AS  Domain FROM SecEvent.evt WHERE EventID IN(528;538) AND SID LIKE 'X-Y-Z-XX-XXXXXXXX-XXXXXXXXX-XXXXXXXXX-XXXXXX'" Date & Time             Event Description   User Name   Domain -------------------        ------------------   ----------    ---------- 2008-05-23 09:13:46 Successful Logon   ltuser           domainA 2008-05-23 09:50:20 Successful Logon   ltuser           domainA 2008-05-23 09:50:20 Successful Logon   ltuser           domainA 2008-05-23 09:50:20 User Logoff             ltuser           domainA

• 11-05-2008, 4:02 AM

  In reply to

  qbernard Joined on 03-26-2003, 2:12 AM Malaysia Posts 3,238	Re: Can we parse Event description (Message) into only what we want? Reply Contact Great! my sample was just getting you to start... as you can see i only set top 3 record and only 1 ID. LP query is like SQL query, the only limitation is your imagination :) Cheers, Bernard Cheah

• 03-05-2009, 11:32 AM

  In reply to

  dustintennill Joined on 03-05-2009, 4:20 PM Posts 3

  Re: Can we parse Event description (Message) into only what we want? Reply Contact  Hello,  The example you have is GREAT!! I need to do all of what has been described in this posting, but I need to add one more column to this data.  Do you know a simple way to also extract the name of the computer the account was logging into? I see it peppered through the data, but my previous attempts at this extraction involved writing a program to do multiple iterations over the file to match up computer names and ips to try to finish the picture (very slow, and a hassle). The goal would be to display a record for every interactive user login to all computers, such that I could use this for statistics I need to show.  Example: 2008-10-10 08:08:08|Logon|BobSmith|COMPUTER1 2008-10-10 08:15:08|Logon|BobSmith|COMPUTER2 2008-10-10 08:08:08|Logon|JaneSmith|COMPUTER1 (still looking around the forum for the answer, if I find it I will note it here) Thanks !!

• 03-06-2009, 10:53 AM

  In reply to

  dustintennill Joined on 03-05-2009, 4:20 PM Posts 3	Re: Can we parse Event description (Message) into only what we want? Reply Contact I neglected to point out, am reading logs from our domain controllers only, not the client computers. I suppose I could gather event logs on all those, but that's many machines to pull logs from.

• 03-10-2009, 12:21 AM

  In reply to

  qbernard Joined on 03-26-2003, 2:12 AM Malaysia Posts 3,238	Re: Can we parse Event description (Message) into only what we want? Reply Contact how's the source event log data looks like? Cheers, Bernard Cheah

• 07-27-2009, 5:25 PM

  In reply to

  PatrickMc Joined on 12-12-2008, 4:28 PM Posts 7	Re: Can we parse Event description (Message) into only what we want? RESOLVED!!! Reply Contact   Have you tried writing your own script for parsing logs exactly the way you want ? We often use biterscripting for that. There is a good example script posted at http://www.biterscripting.com/SS_WebLogParser.html to get you started.   Patrick
  	Tags: Log file format conversionsbiterscriptingscriptinglog file parsing