We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >


1 reply

Last post Oct 13, 2004 08:24 AM by Anonymous

  • Syntax

    Oct 12, 2004 08:48 AM|Anonymous|LINK

    I am net to the log parser tool. So far I am a little confused about syntax. I know some sql so I under stand the select from where stuff but I can not get this simple query to work.

    logparser "SELECT User FROM C:\sys.evt WHERE User = 'Administrator'" -i:EVT

    Can anyone show me where the problem is?

    EVT input format

  • Re: Syntax

    Oct 13, 2004 08:24 AM|Anonymous|LINK

    Your SQL syntax is perfect; what's wrong here is the name of the field you're using. 'User' is not a field exported by the EVT input format.

    To get a list of the fields exported by the EVT input format, type the following help command:

    LogParser -h -i:EVT

    This command will display some help information on the EVT input format, including the names and the data types of its fields:

      EventLog (S)              RecordNumber (I)          TimeGenerated (T)
      TimeWritten (T)           EventID (I)               EventType (I)
      EventTypeName (S)         EventCategory (I)         EventCategoryName (S)
      SourceName (S)            Strings (S)               ComputerName (S)
      SID (S)                   Message (S)               Data (S)

    As you can see, there's no 'User' field, but there's a SID field which returns the SID of an account.

    If you want the SID translated into a user name, you need to set the "resolveSIDs" parameter to "ON":

    logparser "SELECT SID FROM C:\sys.evt WHERE SID='MYMACHINE\Administrator'" -resolveSIDsN

    Note that the SID gets translated into a fully-qualified account, i.e. "DOMAINNAME\USERNAME". And, be sure to use the correct capitalization in your WHERE: the "=" operator is case-sensitive.

    You can do a comparison on the USERNAME portion only by using the EXTRACT_TOKEN function to extract the username part:

    "SELECT SID FROM C:\sys.evt WHERE EXTRACT_TOKEN(SID, 1, '\\') = 'Administrator'" -resolveSIDsN

    Hope this helps!

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

    EVT input format