Use Microsoft Log Parser for trolling through the Event Viewer
Sifting through the thousands of entries in a server’s local Security Event log for a specific message can be a very time consuming experience.
One way to quickly sort through the noise is to use Microsoft’s Log Parser (FREE!). Log Parser is a command line utility that uses a language structure very similar to SQL. Install it on your PC and manually add C:\Program Files (x86)\Log Parser 2.2 to your PATH. (Right-click My Computer | Properties | Advanced system settings | Advanced | Environment Variables | System variables | Path | Edit).
Log Parser Syntax
As stated previously, Log Parser commands are very similar to SQL queries. Let’s say you are looking for an event where the EventID = 4656. You could type the following command:
logparser "SELECT * FROM Security WHERE EventID = 4656"
If you are running this on the server, you can simply state the source to be “SECURITY” as shown above. Windows will know you are referring to the server’s local Security log. If you are running this on your own PC, you would type:
logparser -i:evt "SELECT * FROM <name and path to archive file> WHERE EventID = 4656"
The above -i:evt switch means the file being used for input is an EVT file (which is the file type for Event Viewer). Alternatively, if you were searching against a text file for some other usage, you could simply put -i:txt. When you run the above commands, Windows will attempt to search the entire file. However, Windows will only output 10 entries at a time and you will get the “Press any key to continue prompt…” If you wanted this to search the entire file at once, you can add the -rtp:-1 to the end of the command.
logparser -i:evt "SELECT * FROM <name and path to archive file> WHERE EventID = 4656" -rtp:-1
Unfortunately, you will see Windows whiz by potentially hundreds of entries on your command prompt. The solution is to pipe the results to a text file.
logparser -i:evt "SELECT * FROM <name and path to archive file> WHERE EventID = 4656" -rtp:-1 >> c:\temp\my_results.txt
Unfortunately, we’ve added too much information into the text file. Even with Notepad++ or TextPad, reading through all this data can be time consuming as well. What would help is if we knew all the field types within the Event Viewer so that we could narrow things down a bit. Below is a list of fields used within the Event Viewer:
EventLog, TimeWritten, EventTypeName, SourceName, SID, RecordNumber, EventID, EventCategory Strings, Message, TimeGenerated, EventType, EventCategoryName, ComputerName, Data
We can now be a bit more creative. Let’s do a search for the same EventID but limit the output to display only the TimeGenerated. Moreover, if we suspected that David Im altered the file, let’s modify the search to only include where his username appears (ex: sam). We could type:
logparser -i:evt "SELECT TimeGenerated FROM <name and path to archive file> WHERE ( EventID = 4656 ) AND ( Message LIKE %sam% )" -rtp:-1 >> c:\temp\my_results.txt
What if I want to automate this as a task? Well you can put this into a batch file and run it as a task via native Windows Task Scheduler or VisualCron. However, some modifications have to take place. For example, the % is a special character within Windows batch files that signals to the system that you are about to refer to a variable. Thus, for Message LIKE %sam%, you must modify the batch file to be Message LIKE ‘%%sam%%’. Notice it also required the single tick marks. You would also need single tick marks around EventID = ‘4656’.
Unfortunately, the above could still display (potentially) hundreds of entries. What if we want to narrow it down to events that occurred in the last 5 minutes? There is support for that as well. The syntax below assumes you are putting this into a batch file:
logparser -i:evt "SELECT TimeGenerated FROM <name and path to archive file> WHERE TimeGenerated >= TO_LOCALTIME( SUB ( SYSTEM_TIMESTAMP(), TIMESTAMP( '05', 'mm' ) ) ) AND ( EventID = '4656' ) AND ( Message LIKE '%%sam%%' )" -rtp:-1 >> c:\temp\my_results.txt