Page 1 of 2 12 LastLast
Results 1 to 15 of 22
  1. #1
    2 Star Lounger
    Join Date
    Aug 2014
    Posts
    123
    Thanks
    19
    Thanked 0 Times in 0 Posts

    Grabbing selected elements from event log using batch

    I have tried a test of getting the event log output and that I get to work.
    I have tried using a FOR loop to output each line which is then piped to a find command but when it displays the result I have apparently screwed up the FOR command because I do not get a complete line, i.e. look for Event ID: and I get Event when %%A should be EVENT ID: ####. Note that each line I want is then appended to a previous line or an empty line.
    Can someone help cuz I have invested a bunch of time and this should be a simple solution -- I hope, the simple one said.
    Code:
    set EnableDelayedExpansion
    set line=""
    for /f "delims= " %%A in ('wevtutil qe Security /rd:true /f:text /c:1') do (if echo %%A | find "Date:" set line="%%A "
        if echo %%A | find "Event ID:" set line="!line!%%A "
        if echo %%A | find "Task:" set line=!line!%%A "
        if echo %%A | find "Security ID:" set line=!line!%%A "
        if echo %%A | find "Account Name:" set line=!line!%%A "
        if echo %%A | find "Account Domain:" (
          set line=!line!%%A"
          echo %line% >> bidslog.txt
          set line=""
    :FINI
       )
    Thanks in advance for any help!!

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,202
    Thanks
    49
    Thanked 987 Times in 917 Posts
    %A is only the first value returned from the command, assuming you have spaces in there. You need to use the "tokens" command to put the entire response into the variable %A. e.g. for /f "tokens=* delims= " %%A in....
    To test this try the following:
    for /f "delims= " %%A in ('wevtutil qe Security /rd:true /f:text /c:1') do echo %%A
    for /f "tokens=* delims= " %%A in ('wevtutil qe Security /rd:true /f:text /c:1') do echo %%A

    Rereading this you don't even need the "delims" as space is the default, so this should work: for /f "tokens=*" %%A....

    To empty a variable you only need to set it, e.g. set line=

    cheers, Paul

  3. #3
    2 Star Lounger
    Join Date
    Aug 2014
    Posts
    123
    Thanks
    19
    Thanked 0 Times in 0 Posts
    Tried that and got the same message as the following attempt got, i.e. %A (or in current case %I) unexpected. This current code was suggested by another search attempt and I reduced the output expected.
    Code:
    set line=""
    for /f  %%I in ('wevtutil qe Security /rd:true /f:text /c:1') do (
      echo retrived %%I
      for /f "tokens=1,2,3,4" %%J in ("%%I") DO (
         echo TESTB
         if echo "%%J" EQU "Date:" ( set line=%%F"&echo !line!)
      )
    )
    Does it matter that the tokens exceed the elements in the line ?
    Confused as to why %%I is getting flagged.

  4. #4
    Super Moderator RetiredGeek's Avatar
    Join Date
    Mar 2004
    Location
    Manning, South Carolina
    Posts
    9,436
    Thanks
    372
    Thanked 1,457 Times in 1,326 Posts
    Spark,

    I'm attempting to do this in PowerShell could you please tell me exactly which Event Log you are searching?
    I've looked at the two security related logs Microsoft-Windows-Security-Auditing & Microsoft-Windows-Eventlog and I can't find anything with a Security tag at least not on my machine.
    May the Forces of good computing be with you!

    RG

    PowerShell & VBA Rule!

    My Systems: Desktop Specs
    Laptop Specs

  5. #5
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,202
    Thanks
    49
    Thanked 987 Times in 917 Posts
    You've told the "for" command to return 4 separate results so you will get %J, %K, %L & %M. Extra tokens will be empty, which is OK.

    Error reporting in batch files is limited and we can't guess which %I it is complaining about. Can you shed some light?

    cheers, Paul

  6. #6
    2 Star Lounger
    Join Date
    Aug 2014
    Posts
    123
    Thanks
    19
    Thanked 0 Times in 0 Posts
    @R'tired Geekm,
    I came back to M$ after trashing XP and stepped into the quagmire called 8.1 so not sure but bet U R using Win7 or XP.
    U must be close with the latter mentioned location. To get to Security event logs via the graphics mode in 8.1 it is: Windows icon > Event Viewer > Windows Logs > Security.
    I am doing all Event log work using wevtutil command which is apparently the same as wevtutil.exe. Either of those commands will allow access to all Windows event logs by incorporating the log name in the object field of the command. Example:
    wevtutil qu Security /f:test /c:1 produces the oldest single (just 1) record from security log. U can do a reverse reading of logs and get other formats and more event logs. Maybe someone with UR OS version can give better directions.

    @Paul T:
    Hate to cause confusion but have been trying other approaches and have gone back to using 2 for commands. Probably stupid but when lost follow the sun.
    I've just stuck in the 2 pauses but for now ignore them. I'm getting the %J unexpected immediately. I see it has seen the set line="ABC" just before that but do not see the echo TEST debug statement.
    set line="ABC"
    for /f %%I in ('wevtutil qe Security /rd:true /f:text /c:1') do (
    echo Test Retrived %%I
    pause
    for /f "tokens=1,2,3,4" %%J in ("%%I") DO (
    echo TESTB %%J
    pause
    if echo "%%J" EQU "Date:" set line="echo !line!&echo %%I"
    echo !line!
    set line="DEF"
    echo !line!
    )
    )
    The wevtutil statement does work by itself. It produces lines of test which I presume are being fed 1 at a time to the "for %%J" line. Since I do not get echo TESTB %%J output I guess it is dieing in the "for %%J" line but will be taking that line out to test independently.
    There are 3 steps to writing command descriptions: 1) say what it is intended to do, 2) demonstrate with variations, 3) show the neat tricks and explain the variation whys. Wish the M$ tech docs would follow that especially #3. IMHO
    Does that get this moving forward?
    Is my premise incorrect that the first for is feeding single lines of text 1 at a time to the second for? How to test???

  7. #7
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,202
    Thanks
    49
    Thanked 987 Times in 917 Posts
    The following line doesn't pass all the data because the "for" command breaks the data into an array and you are using a single token. You need to use the "tokens" argument to pass all the data.
    Orig: for /f %%I in ('wevtutil qe Security /rd:true /f:text /c:1') do (
    New: for /f "tokens=*" %%I in ('wevtutil qe Security /rd:true /f:text /c:1') do (

    I don't think you need the second "for" command, just use the existing tokens.
    What does the "echo !line!" command do? It doesn't work for me.
    You have a smattering of "echo" commands that are just in the wrong place. "if echo "%%J" EQU "Date:"" just won't work as the word echo is used in the test instead of sending data to the screen.

    Here is a revised version.

    cheers, Paul
    Code:
    for /f "tokens=*" %%I in ('wevtutil qe Security /rd:true /f:text /c:1') do (
      if %%J EQU Date: set line=%%I
    )

  8. #8
    Silver Lounger RolandJS's Avatar
    Join Date
    Dec 2009
    Location
    Austin metro area TX USA
    Posts
    1,735
    Thanks
    95
    Thanked 128 Times in 125 Posts
    spark55, PaulT, I would very much like to use this batchfile within a DOS CMD ran as Admin!
    Sparks55, so far, I have an empty EventLog1.txt, so I'm doing something wrong. Would one of youse guys post the successful BATchfile, when written?
    "Take care of thy backups and thy restores shall take care of thee." Ben Franklin revisited.
    http://collegecafe.fr.yuku.com/forum...-Technologies/

  9. #9
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,202
    Thanks
    49
    Thanked 987 Times in 917 Posts
    Re-reading my post to respond to Roland I see a problem. The "tokens" line should be "tokens=1,*"
    Note to self, must test code before posting.

    Roland, open a command prompt as admin and run the following command. If that works you should be able to run the second command in a batch file - run as admin, or run the batch file from within the Command Prompt you just opened.

    1. wevtutil qe Security /rd:true /f:text /c:1
    2. for /f "tokens=1,*" %%I in ('wevtutil qe Security /rd:true /f:text /c:1') do if %%J EQU Date: echo line=%%I

    cheers, Paul

  10. #10
    Silver Lounger RolandJS's Avatar
    Join Date
    Dec 2009
    Location
    Austin metro area TX USA
    Posts
    1,735
    Thanks
    95
    Thanked 128 Times in 125 Posts
    my eventlog1.txt still has zero bytes; like finding nemo last scene: Now, what?
    [PaulT, could it be that there is nothing in security area to report?]
    "Take care of thy backups and thy restores shall take care of thee." Ben Franklin revisited.
    http://collegecafe.fr.yuku.com/forum...-Technologies/

  11. #11
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,202
    Thanks
    49
    Thanked 987 Times in 917 Posts
    Possibly. Try "Application".

    cheers, Paul

  12. #12
    Silver Lounger RolandJS's Avatar
    Join Date
    Dec 2009
    Location
    Austin metro area TX USA
    Posts
    1,735
    Thanks
    95
    Thanked 128 Times in 125 Posts
    sparks55, PaulT, I'm creating in my Google Drive BAT&CONFIG folder w/DRN, MLDRD & WLTRD subfolders. They contain batchfiles and configuration files. Can we "meet" in there, I'll give you both edit rights to that parent directory. I'll need your email addresses to tie the edit rights to. rmstoller AT sbcglobal DOT net -- we can meddle in there all we want, we always post a success in here.
    "Take care of thy backups and thy restores shall take care of thee." Ben Franklin revisited.
    http://collegecafe.fr.yuku.com/forum...-Technologies/

  13. #13
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,202
    Thanks
    49
    Thanked 987 Times in 917 Posts
    Nope, I limit my presence to a few forums like this.

    You can post your batch file here - wrap it in CODE tags - and we'll review.

    cheers, Paul

  14. #14
    Silver Lounger RolandJS's Avatar
    Join Date
    Dec 2009
    Location
    Austin metro area TX USA
    Posts
    1,735
    Thanks
    95
    Thanked 128 Times in 125 Posts
    PaulT, what and how is "application" ?
    "Take care of thy backups and thy restores shall take care of thee." Ben Franklin revisited.
    http://collegecafe.fr.yuku.com/forum...-Technologies/

  15. #15
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,202
    Thanks
    49
    Thanked 987 Times in 917 Posts
    Application is an event log.
    wevtutil qe Application /rd:true /f:text /c:1

    cheers, Paul

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •