You nailed it - cryptic but powerful. I couldn't
figure out how to get it to split the Message field by CrLf, so I had to hack it
a little bit, using the colon as my delimiter and cutting out the
subsequent field name. Should be okay so long as no paths have the word
Handle ID in them.
For those who are interested, here's the syntax I used from
a command prompt. With a little effort this can be turned into a DHTML
page (see the Samples directory after you've installed
LogParser).
logparser "select distinct eventid,
TO_STRING(TimeGenerated, 'dddd, MMMM d, yyyy') AS LongTimeStamp,
TO_STRING(TimeGenerated, 'M/d hh:mm:ss') AS ShortTimeStamp,
extract_token(message,4, ':') as Drive,
extract_prefix(extract_token(message,5, ':'), 0, ' Handle ID') as path,
extract_prefix(extract_token(message,12, ':'), 0, ' Client User Name') as
user,
extract_prefix(extract_token(message,13, ':'), 0, ' Client Domain') as
domain,
extract_prefix(extract_token(message,15, ':'), 0, ' Accesses') as
LogonID,
extract_prefix(extract_token(message,16, ':'), 0, 'Privileges') as
Accesses
from *.evt"
-i:EVT -o:csv -resolveSIDs > output.csv
Thanks. This may do it for
us.
>Can anyone suggest a good tool that can
gather .evt files from a specified directory, weed out duplicates and store the
end result in
> either a database or another .evt
file?