URGENT : Parse interactive logon from Security logs using Log parser
Last post Oct 15, 2014 10:43 PM by eahenle
Aug 11, 2014 02:04 PM|Kani_sh|LINK
I am new to Log Parser. My intent is to use Log Parser in order to parse the Security logs for interactive login (Logon type:2) for event id 4624. I have been trying to write an SQL query which is as follows :-
SELECT timegenerated, EXTRACT_TOKEN(Strings,3,':') AS LogonID, EXTRACT_TOKEN(Strings,5,':') AS USER, EXTRACT_TOKEN(Strings,8,':') AS LogonTYPE, EXTRACT_TOKEN(Strings,11,':') AS WorkstationName, EventID FROM Security WHERE EventID=4624 ORDER BY timegenerated
This query gives me a list of event 4624 with the fields (logon id, logon type, workstationName, etc). However logon type or any other field apart from Event id are empty. I intend to extract the "logon type" value for each event and further filter/parse
the events using the Logontype field.
Oct 15, 2014 10:43 PM|eahenle|LINK
You appear to be using the incorrect field delineator. The query you have above is using :, while the correct delineator is |.