You nailed it - cryptic but powerful. I couldn't figure out how to get it to split the Message field by CrLf, so I had to hack it a little bit, using the colon as my delimiter and cutting out the subsequent field name. Should be okay so long as no paths have the word Handle ID in them.
For those who are interested, here's the syntax I used from a command prompt. With a little effort this can be turned into a DHTML page (see the Samples directory after you've installed LogParser). logparser "select distinct eventid, TO_STRING(TimeGenerated, 'dddd, MMMM d, yyyy') AS LongTimeStamp, TO_STRING(TimeGenerated, 'M/d hh:mm:ss') AS ShortTimeStamp, extract_token(message,4, ':') as Drive, extract_prefix(extract_token(message,5, ':'), 0, ' Handle ID') as path, extract_prefix(extract_token(message,12, ':'), 0, ' Client User Name') as user, extract_prefix(extract_token(message,13, ':'), 0, ' Client Domain') as domain, extract_prefix(extract_token(message,15, ':'), 0, ' Accesses') as LogonID, extract_prefix(extract_token(message,16, ':'), 0, 'Privileges') as Accesses from *.evt" -i:EVT -o:csv -resolveSIDs > output.csv
Thanks. This may do it for us.
________________________________
From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Warkentin, Grant Sent: Friday, June 15, 2007 11:41 AM To: Jon Hill; toasters Subject: RE: Cifs audit logs
Can anyone suggest a good tool that can gather .evt files from a
specified directory, weed out duplicates and store the end result in
either a database or another .evt file?
If you don't mind using a cryptic but powerful utility, do a google search for "Log Parser" or go here: http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.ms px