Hi there! Welcome to my blog. My name is Ivan. I am a Dutch IT Professional working as Principal IT Consultant. The following LogParser.exe command will query Windows NT Securiy log with EventID 529 and parse the data into %computername%_security_logons_failed_529.xml.
LogParser "SELECT TimeGenerated AS LogonDate, EXTRACT_TOKEN(Strings, 0, '|')AS Username,EXTRACT_TOKEN(Strings, 3, '|')AS LogonType,EXTRACT_TOKEN(Strings, 4, '|')AS LogonProcess, EXTRACT_TOKEN(Strings, 11, '|')AS Source INTO %computername%_security_logons_failed_529.xml FROM Security WHERE EventID = 529"
<ROOT DATE_CREATED="2007-07-04 09:03:53" CREATED_BY="Microsoft Log Parser V2.2"> - <ROW> <LogonDate>2007-06-18 13:33:50</LogonDate> <Username>Ivan1980</Username> <LogonType>seclogon</LogonType> <LogonProcess>Negotiate</LogonProcess> <Source>-</Source> </ROW> - <ROW> <LogonDate>2007-06-22 15:35:06</LogonDate> <Username>a-ws-admin</Username> <LogonType>NtLmSsp</LogonType> <LogonProcess>NTLM</LogonProcess> <Source>192.168.50.188</Source> </ROW> - <ROW> <LogonDate>2007-06-22 15:35:06</LogonDate> <Username>a-ws-admin</Username> <LogonType>NtLmSsp</LogonType> <LogonProcess>NTLM</LogonProcess> <Source>192.168.50.188</Source> </ROW> - <ROW> <LogonDate>2007-06-22 15:35:07</LogonDate> <Username>a-ws-admin</Username> <LogonType>NtLmSsp</LogonType> <LogonProcess>NTLM</LogonProcess> <Source>192.168.50.188</Source> </ROW> - <ROW> <LogonDate>2007-06-22 15:35:07</LogonDate> <Username>a-ws-admin</Username> <LogonType>NtLmSsp</LogonType> <LogonProcess>NTLM</LogonProcess> <Source>192.168.50.188</Source> </ROW> </ROOT>
Leave a comment