Export events including Event Properties from Windows Event Viewer

http://pario.no/2009/05/13/exporting-events-including-event-properties-f...

Pario TechnoBlob (http://pario.no)

A cronological documentation test project, nothing serious, really!

Export events including Event Properties from Windows Event Viewer

Posted May 13th, 2009 by Hans-Henry Jakobsen (http://pario.no/author/admin/) & filed under Scripting (http://pario.no/category/scripting/), Windows (http://pario.no/category/windows/).
This post came to life after a request to produce an overview of how many prints every user produced on a special printer from our print server. Since we have no print accounting software installed on our Windows 2003 Server I had to come up with a new solution to this problem. The actual print accounting part will be posted in another post The solution I came up with was to enable auditing on printing and then gather information from the System log in the Event Viewer. But first I had to export the necessary data from the Event Viewer since a normal export using the Export List function by right clicking a log would not give me a good enough detail level including Event Properties.

Search

Tags
awk (http://pario.no/tag/awk/) bash (http://pario.no/tag/bash/) Database (http://pario.no/tag/database/) Debian (http://pario.no/tag/debian/) EXIF (http://pario.no/tag/exif/) Fedora (http://pario.no/tag/fedora/) find (http://pario.no/tag/find/) Gentoo (http://pario.no/tag/gentoo/) grep (http://pario.no/tag/grep/) howto (http://pario.no/tag/howto/) iptables (http://pario.no/tag/iptables/) JPG (http://pario.no/tag/jpg/) MySQL (http://pario.no/tag/mysql/) perl (http://pario.no/tag/perl/) PHP (http://pario.no/tag/php/) RedHat (http://pario.no/tag/redhat/) sed (http://pario.no/tag/sed/) ssh (http://pario.no/tag/ssh/) Ubuntu (http://pario.no/tag/ubuntu/) Zimbra (http://pario.no/tag/zimbra/)

Categories
Backup (http://pario.no /category/backup-2/) Linux (http://pario.no /category/linux/) Misc (http://pario.no /category/misc/) Network (http://pario.no After some research I found a Windows tools called eventquery.vbs which is located in the windows/system32 folder on most Windows PCs. Its a script that lists the events and event properties from one or more event logs. Export log info This is the switches I used to export Event Viewer events from System /category/network/) Photo etc (http://pario.no /category/photo-etc/) Scripting (http://pario.no /category/scripting/) Security (http://pario.no

1 de 3

02/08/2013 10:11 a.m.

Export events including Event Properties from Windows Event Viewer

Information" /fi "Source eq Print" /fi "ID eq 10" /v /fo csv > Event_Viewer_System.csv

http://pario.no/2009/05/13/exporting-events-including-event-properties-f... /category/security/) Virtualization (http://pario.no /category/virtualization/) Web (http://pario.no /category/web/) Windows (http://pario.no /category/windows/)
/l System

cscript c:\windows\system32\eventquery.vbs /fi "Type eq

The syntax I used was to filter (/fi) out Events equal the type Information filter out Source equal to Print filter out ID equal 10 and have a verbose (/v) output from the System log (/l System) output as comma separated file (/fo) and redirect the result to a file > filename.csv More info about the eventquery.vbs tool can be found by following the link under Sources. The result from this export can look something like this
"Information","10","12.05.2009 13:24:48","Print","Servername","None","AD\username","Document 232, filename.pdf owned by username was printed on printername via port IP_192.168.0.254. Size in bytes: 279232; pages printed: 1"

Recent Comments
Hans-Henry Jakobsen on nslookup-scan of IP-range/subnet (http://pario.no/2007/09 /04/nslookup-scan-ofip-rangesubnet/commentpage-1/#comment-305) Pigeo on nslookup-scan of IP-range/subnet (http://pario.no/2007/09 /04/nslookup-scan-ofip-rangesubnet/commentpage-1/#comment-304) Hans-Henry Jakobsen on Rename AVCHD files using Exiftools (http://pario.no /2012/07/17/rename-avchdfiles-using-exiftools/commentpage-1/#comment-303) Hans-Henry Jakobsen on Enable secure / https SSL login on mediaWiki 1.13.3 (http://pario.no/2009/01 /30/enable-secure-ssl-loginon-mediawiki/commentpage-1/#comment-302) eskp on Enable secure / https SSL login on mediaWiki 1.13.3 (http://pario.no/2009/01 /30/enable-secure-ssl-loginon-mediawiki/commentpage-1/#comment-301)

If you look at the image below youll understand where I got the filter type info from.

Meta
Register (http://pario.no /wp-login.php?action=register) 2 de 3

02/08/2013 10:11 a.m.

Export events including Event Properties from Windows Event Viewer

http://pario.no/2009/05/13/exporting-events-including-event-properties-f... Log in (http://pario.no /wp-login.php) Entries RSS (Really Simple

Syndication) (http://pario.no

These data now gives me the opportunity to filter out the data I need to create a simple print accounting on my users, and that is posted in the post named Simple Windows Print Accounting using Event Viewer data (http://pario.no /2009/05/15/simple-windows-print-accounting-using-event-viewer-data/). Source: eventquery.vbs (http://technet.microsoft.com/en-us/library /bb490900.aspx) This post can also be used to export from any Event Viewer data log like Application, Security, Internet Explorer or other logs you have on your system. Tags: cscript (http://pario.no/tag/cscript/)
Event Properties (http://pario.no/tag/event-properties/) Event Viewer (http://pario.no/tag/event-viewer/) eventquery.vbs (http://pario.no/tag/eventqueryvbs/)

/feed/) Comments RSS (Really Simple

Syndication) (http://pario.no

/comments/feed/) WordPress.org (http://wordpress.org/)

Leave a Reply
Name *

Mail (not published)*

Website

Submit Comment Notify me of follow-up comments by email. Notify me of new posts by email. 320press (http://320press.com

3 de 3

02/08/2013 10:11 a.m.