Hi
I've started using logparser as per Ch7 of Harlan's 4/E publication, using syntax
logparser -ievt -ocsv -statsOFF "Select RecordNumber,TO_UTCTIME(TimeGenerated),EventID,SourceName,ComputerName,SID,Strings from sourcefile" > targetfile
Seems that as soon as logparser hits an EventData field with multiple lines (not sure that's the right terminology!), the output gets severely disrupted. For example, EventData from Application.evxt (as viewed in Event Viewer) which looks like this
Using configuration file C\ProgramData\VMware\vmnetnat.conf. IP address 192.168.126.2 Subnet 255.255.255.0 External IP address 0.0.0.0 Device vmnet8. MAC address 005056E96100. Ignoring host MAC address 005056C00008.
Is listed with the first part "Using configuration file " in the same line as the rest of the data but then with this on subsequent lines
C\ProgramData\VMware\vmnetnat.conf.
IP address 192.168.126.2
Subnet 255.255.255.0
External IP address 0.0.0.0
Device vmnet8.
MAC address 005056E96100.
Ignoring host MAC address 005056C00008.
Another example, this time from Security.evtx
- EventData
ProcessId 1704
UserSid S-1-5-19
UserName NT AUTHORITY\LOCAL SERVICE
ProviderKey {DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}
ProviderName Microsoft Corporation
ChangeType %%16384
FilterKey {97DD9B3E-B170-4BBB-B96C-EBC65BFE04B1}
FilterName Boot Time Filter
FilterType %%16388
FilterId 171161
LayerKey {A3B42C97-9F04-4672-B87E-CEE9C483257F}
LayerName ALE Receive/Accept v6 Layer
LayerId 46
Weight 18446744073709551615
Conditions (text is indented) Condition ID {3971ef2b-623e-4f9a-8cb1-6e79b806b9a7} Match value Equal to Condition value 0x3a Condition ID {0c1ba1af-5765-453f-af22-a8f791ac775b} Match value Equal to Condition value 0x0086 Condition ID {6ec7f6c4-376b-45d7-9e9c-d337cedcd237} Match value Equal to Condition value 0x03 Condition ID {89f990de-e798-4e6d-ab76-7c9558292e6f} Match value Equal to Condition value 0x00000083 Condition ID {511166dc-7a8c-4aa7-b533-95ab59fb0340} Match value Equal to Condition value 0x0000000e Condition ID {46ea1551-2255-492b-8019-aabeee349f40} Match value Equal to Condition value 0x00000003 Condition ID {ab3033c9-c0e3-4759-937d-5758c65d4ae3} Match value Equal to Condition value 0x00000000
Action %%16390
CalloutKey {00000000-0000-0000-0000-000000000000}
CalloutName -
Is listed similarly with the data appearing neatly until this starts appearing on separate lines
Condition ID {3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}
Match value Equal to
Condition value 0x3a
Condition ID {0c1ba1af-5765-453f-af22-a8f791ac775b}
Match value Equal to
Condition value 0x0086
Condition ID {6ec7f6c4-376b-45d7-9e9c-d337cedcd237}
Match value Equal to
Condition value 0x03
Condition ID {89f990de-e798-4e6d-ab76-7c9558292e6f}
Match value Equal to
Condition value 0x00000083
Condition ID {511166dc-7a8c-4aa7-b533-95ab59fb0340}
Match value Equal to
Condition value 0x0000000e
Condition ID {46ea1551-2255-492b-8019-aabeee349f40}
Match value Equal to
Condition value 0x00000003
Condition ID {ab3033c9-c0e3-4759-937d-5758c65d4ae3}
Match value Equal to
Condition value 0x00000000
|%%16390|{00000000-0000-0000-0000-000000000000}|-
I've not worked out yet what causes line breaks - seems to be relatively random but may not be? I'm hoping I'm not the first to come across this issue. I haven't been able to locate a solution, can anyone assist in resolving this? I'm afraid I don't have coding skills, I’ve tried using the TSV output option but it seems to come unstuck at the same point
Windows7 Enterprise SP1 - have tested with EVTX files from 32- and 64-bit in a corporate domain environment
Cheers
I've not worked out yet what causes line breaks -
The answer is…line breaks embedded in the strings of the event message.
I haven't been able to locate a solution, can anyone assist in resolving this?
Resolved, how? What is it that you're trying to achieve? If you're trying to create a timeline, per ch 7 of WFA 4/e, you're *most* interested in the event source and ID…as such, any additional lines that do not appear in the timeline, after using wevtx.bat instead of just LogParser, will still be available for viewing in much the same way that file contents are not specifically available in a timeline.
Resolved, how? What is it that you're trying to achieve? If you're trying to create a timeline, per ch 7 of WFA 4/e, you're *most* interested in the event source and ID…as such, any additional lines that do not appear in the timeline, after using wevtx.bat instead of just LogParser, will still be available for viewing in much the same way that file contents are not specifically available in a timeline
I'm trying to follow the process in 4/E, my first attempt at doing so. Am following step by step, looking at the output at each stage to check that I understand what it is or at least that it looks OK. So when I ran logparser and saw what I explained in Notepad++, it threw me.
On closer inspection though, completely my fault. In logparser, I was saving to a .txt file rather than .csv - csv works just fine ) RTM?
In my defence, I had been using my Kindle to work my way though this, today I used the book and it was much easier to see where I was going wrong )
Thanks for all the efforts and patience Harlan
Cheers