Trying to validate the times logged inRSS

1 reply

Last post Mar 06, 2017 04:41 PM by SilenceStill

  • Trying to validate the times logged in

    Mar 01, 2017 06:57 PM|SilenceStill|LINK

    Hello,

    I am trying to use logparser to find out how many times a particular user has logged on. I have over 2 TBs of domain controller event logs. The users name is in strings as account name, this is what I got so far but It wont filter to just one user, I keep getting an error. I can get the output to dump all 4624s into the csv but it turns just one of my 11k logs into 167k events from 384k events.

    LogParser "SELECT RecordNumber, TimeGenerated, TimeWritten, EventID, EventType, EventTypeName, EventCategory, Strings, Message, EXTRACT_TOKEN(Strings, 0,'|') AS Account INTO output.csv FROM 1.evtx WHERE EventID = 4624 AND Strings LIKE %JANE.SMITH%" -i:evt

    I keep getting this:

    Err: Syntax Error: <term1>: AND operator not followed by a valid <term1>: near ‘Strings’

    Any help in this matter would be greatly appreciated.

  • Re: Trying to validate the times logged in

    Mar 06, 2017 04:41 PM|SilenceStill|LINK

    SilenceStill

    Hello,

    I am trying to use logparser to find out how many times a particular user has logged on. I have over 2 TBs of domain controller event logs. The users name is in strings as account name, this is what I got so far but It wont filter to just one user, I keep getting an error. I can get the output to dump all 4624s into the csv but it turns just one of my 11k logs into 167k events from 384k events.

    LogParser "SELECT RecordNumber, TimeGenerated, TimeWritten, EventID, EventType, EventTypeName, EventCategory, Strings, Message, EXTRACT_TOKEN(Strings, 0,'|') AS Account INTO output.csv FROM 1.evtx WHERE EventID = 4624 AND Strings LIKE %JANE.SMITH%" -i:evt

    I keep getting this:

    Err: Syntax Error: <term1>: AND operator not followed by a valid <term1>: near ‘Strings’

    Any help in this matter would be greatly appreciated.

    so here is the fix in case anyone stumbling around the interwebs needs help with this, missing single quote around the username

    LogParser "SELECT RecordNumber, TimeGenerated, TimeWritten, EventID, EventType, EventTypeName, EventCategory, Strings, Message, EXTRACT_TOKEN(Strings, 0,'|') AS Account INTO output.csv FROM 1.evtx WHERE EventID = 4624 AND Strings LIKE '%JANE.SMITH%'" -i:evt