Last post Oct 13, 2004 08:24 AM by Anonymous
Oct 12, 2004 08:48 AM|Anonymous|LINK
EVT input format
Oct 13, 2004 08:24 AM|Anonymous|LINK
Your SQL syntax is perfect; what's wrong here is the name of the field you're using. 'User' is not a field exported by the EVT input format.
To get a list of the fields exported by the EVT input format, type the following help command:
LogParser -h -i:EVT
This command will display some help information on the EVT input format, including the names and the data types of its fields:
EventLog (S) RecordNumber (I) TimeGenerated (T)
TimeWritten (T) EventID (I) EventType (I)
EventTypeName (S) EventCategory (I) EventCategoryName (S)
SourceName (S) Strings (S) ComputerName (S)
SID (S) Message (S) Data (S)
As you can see, there's no 'User' field, but there's a SID field which returns the SID of an account.
If you want the SID translated into a user name, you need to set the "resolveSIDs" parameter to "ON":
logparser "SELECT SID FROM C:\sys.evt WHERE SID='MYMACHINE\Administrator'" -resolveSIDsN
Note that the SID gets translated into a fully-qualified account, i.e. "DOMAINNAME\USERNAME". And, be sure to use the correct capitalization in your WHERE: the "=" operator is case-sensitive.
You can do a comparison on the USERNAME portion only by using the EXTRACT_TOKEN function to extract the username part:
"SELECT SID FROM C:\sys.evt WHERE EXTRACT_TOKEN(SID, 1, '\\') = 'Administrator'" -resolveSIDsN
Hope this helps!
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at