Grabbing selected elements from event log using batch

Topic

New Reply

I have tried a test of getting the event log output and that I get to work.
I have tried using a FOR loop to output each line which is then piped to a find command but when it displays the result I have apparently screwed up the FOR command because I do not get a complete line, i.e. look for Event ID: and I get Event when %%A should be EVENT ID: ####. Note that each line I want is then appended to a previous line or an empty line.
Can someone help cuz I have invested a bunch of time and this should be a simple solution — I hope, the simple one said.

Code:

set EnableDelayedExpansion
set line=””
for /f “delims= ” %%A in (‘wevtutil qe Security /rd:true /f:text /c:1’) do (if echo %%A | find “Date:” set line=”%%A ”
    if echo %%A | find “Event ID:” set line=”!line!%%A ”
    if echo %%A | find “Task:” set line=!line!%%A ”
    if echo %%A | find “Security ID:” set line=!line!%%A ”
    if echo %%A | find “Account Name:” set line=!line!%%A ”
    if echo %%A | find “Account Domain:” (
      set line=!line!%%A”
      echo %line% >> bidslog.txt
      set line=””
:FINI
   )

Thanks in advance for any help!!

Reply | Quote

Replies

%A is only the first value returned from the command, assuming you have spaces in there. You need to use the “tokens” command to put the entire response into the variable %A. e.g. for /f “tokens=* delims= ” %%A in….
To test this try the following:
for /f “delims= ” %%A in (‘wevtutil qe Security /rd:true /f:text /c:1’) do echo %%A
for /f “tokens=* delims= ” %%A in (‘wevtutil qe Security /rd:true /f:text /c:1’) do echo %%A

Rereading this you don’t even need the “delims” as space is the default, so this should work: for /f “tokens=*” %%A….

To empty a variable you only need to set it, e.g. set line=

cheers, Paul

Reply | Quote

Tried that and got the same message as the following attempt got, i.e. %A (or in current case %I) unexpected. This current code was suggested by another search attempt and I reduced the output expected.

Code:

set line=””
for /f  %%I in (‘wevtutil qe Security /rd:true /f:text /c:1’) do (
  echo retrived %%I
  for /f “tokens=1,2,3,4” %%J in (“%%I”) DO (
     echo TESTB
     if echo “%%J” EQU “Date:” ( set line=%%F”&echo !line!)
  )
)

Does it matter that the tokens exceed the elements in the line ?
Confused as to why %%I is getting flagged.

Reply | Quote

Spark,

I’m attempting to do this in PowerShell could you please tell me exactly which Event Log you are searching?
I’ve looked at the two security related logs Microsoft-Windows-Security-Auditing & Microsoft-Windows-Eventlog and I can’t find anything with a Security tag at least not on my machine. :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

You’ve told the “for” command to return 4 separate results so you will get %J, %K, %L & %M. Extra tokens will be empty, which is OK.

Error reporting in batch files is limited and we can’t guess which %I it is complaining about. Can you shed some light?

cheers, Paul

Reply | Quote

@R’tired Geekm,
I came back to M$ after trashing XP and stepped into the quagmire called 8.1 so not sure but bet U R using Win7 or XP.
U must be close with the latter mentioned location. To get to Security event logs via the graphics mode in 8.1 it is: Windows icon > Event Viewer > Windows Logs > Security.
I am doing all Event log work using wevtutil command which is apparently the same as wevtutil.exe. Either of those commands will allow access to all Windows event logs by incorporating the log name in the object field of the command. Example:
wevtutil qu Security /f:test /c:1 produces the oldest single (just 1) record from security log. U can do a reverse reading of logs and get other formats and more event logs. Maybe someone with UR OS version can give better directions.

@Paul T:
Hate to cause confusion but have been trying other approaches and have gone back to using 2 for commands. Probably stupid but when lost follow the sun.
I’ve just stuck in the 2 pauses but for now ignore them. I’m getting the %J unexpected immediately. I see it has seen the set line=”ABC” just before that but do not see the echo TEST debug statement.
set line=”ABC”
for /f %%I in (‘wevtutil qe Security /rd:true /f:text /c:1’) do (
echo Test Retrived %%I
pause
for /f “tokens=1,2,3,4” %%J in (“%%I”) DO (
echo TESTB %%J
pause
if echo “%%J” EQU “Date:” set line=”echo !line!&echo %%I”
echo !line!
set line=”DEF”
echo !line!
)
)
The wevtutil statement does work by itself. It produces lines of test which I presume are being fed 1 at a time to the “for %%J” line. Since I do not get echo TESTB %%J output I guess it is dieing in the “for %%J” line but will be taking that line out to test independently.
There are 3 steps to writing command descriptions: 1) say what it is intended to do, 2) demonstrate with variations, 3) show the neat tricks and explain the variation whys. Wish the M$ tech docs would follow that especially #3. IMHO
Does that get this moving forward?
Is my premise incorrect that the first for is feeding single lines of text 1 at a time to the second for? How to test???

Reply | Quote

The following line doesn’t pass all the data because the “for” command breaks the data into an array and you are using a single token. You need to use the “tokens” argument to pass all the data.
Orig: for /f %%I in (‘wevtutil qe Security /rd:true /f:text /c:1’) do (
New: for /f “tokens=*” %%I in (‘wevtutil qe Security /rd:true /f:text /c:1’) do (

I don’t think you need the second “for” command, just use the existing tokens.
What does the “echo !line!” command do? It doesn’t work for me.
You have a smattering of “echo” commands that are just in the wrong place. “if echo “%%J” EQU “Date:”” just won’t work as the word echo is used in the test instead of sending data to the screen.

Here is a revised version.

cheers, Paul

Code:

for /f “tokens=*” %%I in (‘wevtutil qe Security /rd:true /f:text /c:1’) do (
  if %%J EQU Date: set line=%%I
)

Reply | Quote

spark55, PaulT, I would very much like to use this batchfile within a DOS CMD ran as Admin!
Sparks55, so far, I have an empty EventLog1.txt, so I’m doing something wrong. Would one of youse guys post the successful BATchfile, when written?

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

Re-reading my post to respond to Roland I see a problem. The “tokens” line should be “tokens=1,*”
Note to self, must test code before posting.

Roland, open a command prompt as admin and run the following command. If that works you should be able to run the second command in a batch file – run as admin, or run the batch file from within the Command Prompt you just opened.

1. wevtutil qe Security /rd:true /f:text /c:1
2. for /f “tokens=1,*” %%I in (‘wevtutil qe Security /rd:true /f:text /c:1’) do if %%J EQU Date: echo line=%%I

cheers, Paul

Reply | Quote

my eventlog1.txt still has zero bytes; like finding nemo last scene: Now, what?
[PaulT, could it be that there is nothing in security area to report?]

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

Possibly. Try “Application”.

cheers, Paul

Reply | Quote

sparks55, PaulT, I’m creating in my Google Drive BAT&CONFIG folder w/DRN, MLDRD & WLTRD subfolders. They contain batchfiles and configuration files. Can we “meet” in there, I’ll give you both edit rights to that parent directory. I’ll need your email addresses to tie the edit rights to. rmstoller AT sbcglobal DOT net — we can meddle in there all we want, we always post a success in here.

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

Nope, I limit my presence to a few forums like this.

You can post your batch file here – wrap it in CODE tags – and we’ll review.

cheers, Paul

Reply | Quote

PaulT, what and how is “application” ?

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

Application is an event log.
wevtutil qe Application /rd:true /f:text /c:1

cheers, Paul

Reply | Quote

Spark,

No actually I’m using Win 8.1 Update1 Pro 64-bit.

So if this is what you’re looking at retrieving:
38873-SecurityEventLog
I can get that via PowerShell with this code:

Code:

Clear-Host

Get-EventLog -LogName Security `
             -Source Microsoft-Windows-Security-Auditing `
              | Select -First 2 `
              | format-list 

Results:

Code:

Index              : 140025
EntryType          : SuccessAudit
InstanceId         : 4672
Message            : Special privileges assigned to new logon.
                     
                     Subject:
                         Security ID:        S-1-5-18
                         Account Name:        SYSTEM
                         Account Domain:        NT AUTHORITY
                         Logon ID:        0x3e7
                     
                     Privileges:        SeAssignPrimaryTokenPrivilege
                                 SeTcbPrivilege
                                 SeSecurityPrivilege
                                 SeTakeOwnershipPrivilege
                                 SeLoadDriverPrivilege
                                 SeBackupPrivilege
                                 SeRestorePrivilege
                                 SeDebugPrivilege
                                 SeAuditPrivilege
                                 SeSystemEnvironmentPrivilege
                                 SeImpersonatePrivilege
Category           : (12548)
CategoryNumber     : 12548
ReplacementStrings : {S-1-5-18, SYSTEM, NT AUTHORITY, 0x3e7...}
Source             : Microsoft-Windows-Security-Auditing
TimeGenerated      : 1/1/2015 10:24:54 AM
TimeWritten        : 1/1/2015 10:24:54 AM
UserName           :

Note: the results are only for the line highlighted in the graphic capture of Event Viewer and the code is designed to only return the latest 2 entries (of course that can be easily changed).

Now exactly what information do you want and what is the selection criteria? HTH :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

RetiredGeek, is code the same as material to be placed into a batchfile? If yes, I can do what you posted

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

Roland,

No that code is PowerShell and will NOT work in a batch file. :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Been playing some more. Here is my test script:
set k=0
for /f “tokens=1-4” %%A in (‘wevtutil qe Security /rd:true /f:text /c:1’) do (
set k=%k% + 1
set line=%%A %%B %%C %%D
echo %k% %line%
)
I cannot get k to do better than 0 by changing the second set k command.
I have used !k! and dropped initial set, %k%, and just k with no side symbols.
I have tried using %, %%, !! in the echo statement still best I get is 0.
I thought that if a variable was defined inside the for only that the side symbols had to be “!”.
I guess I was wrong.

I get the set line= to show changing and appropriate values on the left.
I tried !line! there too but got !line! in the output.
The echo statement always outputs the last line from the wevtutil command.
At least I know the text from wevtutil is delivered line by line but don’t know why the set command is not functioning under my demands. LOL
Appreciating all UR help!!

@Paul T: good thought that * –dah on me.

Any ideas on what should be obvious why the echo command is only holding the last line from wevtutil output and why set line does not overwrite it or is it being overwritten by the last line all the time?
@RolandJS: Sorry for security reasons I too limit my travels like Paul T.

Reply | Quote

For what it’s worth, I remember having echo, pipe, find, sort > or >> yada yada in long ago batchfiles. The echo is what sends material into the text file.

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

To increment a variable you need “set /a”. e.g. set /a k+=1

From my reading of your code the echo should work for every line.

cheers, Paul

Reply | Quote

Are you willing and able to utilize the free PsLogList command-line utility from Windows Sysinternals? You can easily create a batch file to pass it the switches needed to do just about anything related to the Windows Event Logs.

Reply | Quote