XML Report of Windows EventViewer Security EventID 529
4 07 2007The following command within LogParser.exe will query Windows NT Securiy log with EventID 529 and parse the data into %computername%_security_logons_failed_529.xml.
LogParser “SELECT TimeGenerated AS LogonDate, EXTRACT_TOKEN(Strings, 0, ‘|’)AS Username,EXTRACT_TOKEN(Strings, 3, ‘|’)AS LogonType,EXTRACT_TOKEN(Strings, 4, ‘|’)AS LogonProcess, EXTRACT_TOKEN(Strings, 11, ‘|’)AS Source INTO %computername%_security_logons_failed_529.xml FROM Security WHERE EventID = 529″
<ROOT DATE_CREATED=”2007-07-04 09:03:53″ CREATED_BY=”Microsoft Log Parser V2.2″>
- <ROW>
<LogonDate>2007-06-18 13:33:50</LogonDate>
<Username>Ivan1980</Username>
<LogonType>seclogon</LogonType>
<LogonProcess>Negotiate</LogonProcess>
<Source>-</Source>
</ROW>
- <ROW>
<LogonDate>2007-06-22 15:35:06</LogonDate>
<Username>a-ws-admin</Username>
<LogonType>NtLmSsp</LogonType>
<LogonProcess>NTLM</LogonProcess>
<Source>192.168.50.188</Source>
</ROW>
- <ROW>
<LogonDate>2007-06-22 15:35:06</LogonDate>
<Username>a-ws-admin</Username>
<LogonType>NtLmSsp</LogonType>
<LogonProcess>NTLM</LogonProcess>
<Source>192.168.50.188</Source>
</ROW>
- <ROW>
<LogonDate>2007-06-22 15:35:07</LogonDate>
<Username>a-ws-admin</Username>
<LogonType>NtLmSsp</LogonType>
<LogonProcess>NTLM</LogonProcess>
<Source>192.168.50.188</Source>
</ROW>
- <ROW>
<LogonDate>2007-06-22 15:35:07</LogonDate>
<Username>a-ws-admin</Username>
<LogonType>NtLmSsp</LogonType>
<LogonProcess>NTLM</LogonProcess>
<Source>192.168.50.188</Source>
</ROW>
</ROOT>
- <ROW>
<LogonDate>2007-06-18 13:33:50</LogonDate>
<Username>Ivan1980</Username>
<LogonType>seclogon</LogonType>
<LogonProcess>Negotiate</LogonProcess>
<Source>-</Source>
</ROW>
- <ROW>
<LogonDate>2007-06-22 15:35:06</LogonDate>
<Username>a-ws-admin</Username>
<LogonType>NtLmSsp</LogonType>
<LogonProcess>NTLM</LogonProcess>
<Source>192.168.50.188</Source>
</ROW>
- <ROW>
<LogonDate>2007-06-22 15:35:06</LogonDate>
<Username>a-ws-admin</Username>
<LogonType>NtLmSsp</LogonType>
<LogonProcess>NTLM</LogonProcess>
<Source>192.168.50.188</Source>
</ROW>
- <ROW>
<LogonDate>2007-06-22 15:35:07</LogonDate>
<Username>a-ws-admin</Username>
<LogonType>NtLmSsp</LogonType>
<LogonProcess>NTLM</LogonProcess>
<Source>192.168.50.188</Source>
</ROW>
- <ROW>
<LogonDate>2007-06-22 15:35:07</LogonDate>
<Username>a-ws-admin</Username>
<LogonType>NtLmSsp</LogonType>
<LogonProcess>NTLM</LogonProcess>
<Source>192.168.50.188</Source>
</ROW>
</ROOT>
Recent Comments