We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

URGENT : Parse interactive logon from Security logs using Log parserRSS

1 reply

Last post Oct 15, 2014 10:43 PM by eahenle

  • URGENT : Parse interactive logon from Security logs using Log parser

    Aug 11, 2014 02:04 PM|Kani_sh|LINK

    Hi,

    I am new to Log Parser. My intent is to use Log Parser in order to parse the Security logs for interactive login (Logon type:2) for event id 4624. I have been trying to write an SQL query which is as follows :-

    SELECT timegenerated, EXTRACT_TOKEN(Strings,3,':') AS LogonID, EXTRACT_TOKEN(Strings,5,':') AS USER, EXTRACT_TOKEN(Strings,8,':') AS LogonTYPE, EXTRACT_TOKEN(Strings,11,':') AS WorkstationName, EventID FROM Security WHERE EventID=4624 ORDER BY timegenerated DESC

    This query gives me a list of event 4624 with the fields (logon id, logon type, workstationName, etc). However logon type or any other field apart from Event id are empty. I intend to extract the "logon type"  value for each event and further filter/parse the events using the Logontype field.

    PLS HELP!

  • Re: URGENT : Parse interactive logon from Security logs using Log parser

    Oct 15, 2014 10:43 PM|eahenle|LINK

    You appear to be using the incorrect field delineator.  The query you have above is using :, while the correct delineator is |.