.Net, Security, and Powershell goodies: Microsoft LogParser 2.2 Tutorial II

Click Here to see Part I.

In my next post about logparser, I wanted to discuss the basic usage in a few other formats. The best way to learn this is by example, so here goes:

Event Log Win2k3 and Earlier

--From system event log get the following 4 fields
LogParser -i:EVT -o:datagrid "SELECT TimeGenerated, EventTypeName, SourceName, Message FROM System"

--From system event log get the following 4 fields where the source is PRINT
LogParser -i:EVT -o:datagrid "SELECT TimeGenerated, EventTypeName, SourceName, Message FROM System WHERE SourceName = 'print'"

--Push into .csv file all items where message is like exception or eventid = 666
--ResolveSIDs to show me the real windows login name
LogParser -i:EVT -resolveSIDs:ON "SELECT TimeGenerated, SID, SourceName, Message FROM System INTO E:\File.csv WHERE Message LIKE '%Exception%' OR EventID = 666"

--AppPool Recycle
Select top 25 TO_STRING(TimeGenerated, 'hh:mm:ss') as dateTime, Message
   from \\MyServer\System
           where SourceName in ('W3SVC';'WAS') and
       EventID in (1117;1080;1079;1078;1077;1076;1011;1010;1009)
   ORDER BY dateTime DESC

Event Log Vista and Later
The logparser code is the same but the event logs in Windows Vista have to be saved or converted to the new Event Log file format ".evtx". The Windows Events Command Line Utility can be used to do this. At the command prompt:

wevtutil epl application.evt application.evtx /lf:true

This should now let you parse it with logparser.

Generic Log4Net

--A basic default log4net file
select extract_token(field1,0,',') as DateTime,
extract_token(field1, -1, ' ') as Module, 
extract_token(field1,2,' ') as Type,
field2 as Comment
from c:\MyLog4NetFile.log
where field1 like '2009%'

FileMon

--Show me Access Denies from filemon log in console screen
LOGPARSER "Select Text from C:\Filemon.log where Text like '%Access Denied%'" -i:TEXTLINE -q:Off

NetMon

--min and max date from my netmon trace
logparser -i:NETMON "SELECT MIN(DateTime) as Start, MAX(DateTime) as End from mytrace.cap

--selext all and push to csv file from mytrace
logparser -i:NETMON -o:CSV "select * INTO Output.csv from mytrace.cap

Here are some basic examples using logparser against some formats. Look for more examples later today.

.Net, Security, and Powershell goodies

June 25, 2009

Microsoft LogParser 2.2 Tutorial II

No comments:

Post a Comment

Tag Cloud

Blog Archive

Site Visitors