Home > Tips, Tools > EventLog Query Options

EventLog Query Options

This post is actually an answer to Grant’s question.
I quote:

"I discovered eventcombmt today and have been playing round with it. I have an application whereby I want to write out a listing showing any/all accesses by a particular user. I want to run this once a day. I have not been able to figure out what the commandline switch is to specify to only scan the last 24 hours.
Do you know what it is?"


Well Grant, If you want to use EventCombMT, you can use the command line parameters /before & /after but then you’ll need to specify the full date and time in the form of MMDDYYYYHHMMSS. The date-time format needs to be exactly 14 characters, and both parameters must be used together. I think this only works in the ALTools version.

A more elegant way, would be to use Log Parser and query the Security EventLog using:

LogParser "SELECT * INTO C:\myEvents.xml FROM \\Server1\Security,\\Server2\Security WHERE EXTRACT_TOKEN(Strings, 1, ‘|’) = ‘myUser’ AND TimeGenerated >= TO_LOCALTIME(SUB(SYSTEM_TIMESTAMP(), TIMESTAMP(’23:59:59′, ‘hh:mm:ss’)))"

(You can open the C:\myEvents.xml with Excel as an XML table).


But… A simpler way, would be to use PsLogList from the Sysinternals Suite and run the command:

PsLoglist \\Server1,Server2 -s -h 24 security |find "myUser" >c:\myEvents.log


Which one do you prefer?

  1. January 13, 2012 at 20:56

    Hola Martin, justo lo que necesitaba!
    andaba buscando una tool que me ayudara con el filtro sobre varios archivos .evtx de Windows y lograr exportarlos a Excel, había encontrado algunos pero no permitian filtrar sobre vario archivos a la vez por lo cual me toco hacerlo file a file, me he ahorrado mucho tiempo con esta sencilla pero potente herramienta.


  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: