The following LogParser.exe command  will query Windows NT Securiy log with EventID 529 and parse the data into %computername%_security_logons_failed_529.xml.


LogParser "SELECT TimeGenerated AS LogonDate, EXTRACT_TOKEN(Strings, 0, '|')AS Username,EXTRACT_TOKEN(Strings, 3, '|')AS LogonType,EXTRACT_TOKEN(Strings, 4, '|')AS LogonProcess, EXTRACT_TOKEN(Strings, 11, '|')AS Source INTO %computername%_security_logons_failed_529.xml FROM Security WHERE EventID = 529"

Read the rest of this entry »