Parsing the Windows logs for a Specific User.

Posted on by

Sometimes you need to know each time a user did something like logged in during a time period. Since the logs can be quite large, I’ve used this method to get results pretty fast. You will need Microsoft’s Log Parser 2.2 installed to use this query. In this case I have it set to look for the name Jeff, but that can be changed to any name.

 

 

 

logparser “SELECT TimeGenerated, SID, Message FROM Security, Application, System WHERE Message like ‘%jeff%’” -i:EVT -resolveSIDs ON > c:\logresult.txt

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>