So let me preface this page by saying that by no means is this complete. In recent weeks with all the changes market wise, etc., the status detail requirements have increased a bunch. Customers are now wanting records of if and when faxes were received. Managers wanting status of servers at time xx:xx. Patch levels need to be verified, etc, etc… You get the drift, a very hectic IT time. I know surely that we are not the only ones feeling the pinch so I hope that the information below will be of some use to my fellow IT Comrades.
Lets start off with some simple information. To gather some of the required data, I rely on whatever I can use that is already purchased or comes free from Micro$oft. The reason being, I come from a work past where it was painful to purchase anything new without justifications out the ears. Lets begin.
I am a fan of the System Event Viewer and logs where I can find them but we all know that software is perfect and every detail we need is there, right? For my first trick, I will use Logparser 2.2, available from Microsoft for free. This is one of those tools that just ROCKS and is one I recommend for your personal tool kit.
Checking Login and Logout Times of a Specific User
Who hasn’t had this request? It’s no fun combing through loads of log files to locate information to fill this request. So with that said, here is the first query:
1 logparser "SELECT * FROM system"
Ugly huh? If you run this, you will see EVERYTHING from the system log in your computers event viewer. Not very useful I know, so lets elaborate on it a bit. First, lets make it something you can manipulate within Excel. At least then you can sort it right?
1 logparser -o:csv "SELECT * FROM system"
BLAM! You screen runs away with more data than you ever wanted. Not to worry, let me tell you what just happened. The “-o” option allows you to specify what kind of output the data should be displayed in. When used, it removed the default “10 at a time” display you may have noted in the first example. It also separated the fields with commas and provided a header row at the beginning of the data that was displayed. What? You didn’t see the header?? No problem, lets send this data to a file where it will be more useful.
1 logparser -o:csv "SELECT * INTO mysystem.csv FROM system"
Now that a comma-delimited file has been created, the data can be viewed within Excel to be sorted and arranged as desired. Still to much data? Did not want every event for every process listed in your system events log? Lets trim the information down a bit further. For my example, I will list only those events with the ID 1074, aka system restarts.
1 logparser -o:csv "SELECT * INTO mysystem.csv FROM system WHERE EventID='1074'"
Note the addition of the WHERE option. The field name is one of several fields available from the event log entry. If you are not sure of what field names are available, execute the following command:
1 logparser -h -i:evt system
This tells logparser to provide help (-h) using the input type of system event logs (-i:evt) pulling specifically from the System event logs. There are a wide number of EventID’s associated with Windows. Unfortunately there does not seem to be any one list that defines all EventID’s but luckily some of them remain the same. Take for instance those ID’s associated with user logins/logoffs.
EventID 528 = Logon
EventID 538 = Logoff
So to see when a user logged in use the following:
1 logparser -o:csv "SELECT * INTO mysystem.csv FROM system WHERE EventID='528'"
This will show all logons for all user ID’s. How’s that for starters? With logparser there are a number of ways you can further fine-tune the information returned and I hope to bring more examples in the near future.