none
Windows 7/Server 2008 Security Eventlog VB Script RRS feed

  • Question

  • Hello,

    This is my first time posting here so I hope someone can help me.  I have a VB Script that I use that grabs the security event logs and parses them into an excel spread sheet.  Everything works great with one exception, I would really like a field to display the actual username or account ID that triggered the event.  I have a username field set up in the excel document, but due to the format of the windows 7 security eventlogs the username is blank because the actual username is contained within the message of the event instead of being its own category within the event.  I am pretty new when it comes to scripting and I was hoping that someone has figured out how to do this or can at least point me to some examples that I can try out.  I would imagine that I would have to query the actual event message to extract that data but I do not know the syntax to do so.

    I apoligize in advance if any of my terminology is incorrect.  Like I said, I am new to scripting. Please be gentle.

    Friday, December 12, 2014 3:33 PM

Answers

All replies

  • Your post isn't really a scripting question but more of a vague idea of what you think you need to do.

    You need to ask a more precise and specific question. The following posts will give you some guidance on how to ask a good question:


    -- Bill Stewart [Bill_Stewart]

    Friday, December 12, 2014 4:09 PM
    Moderator
  • Hi,

    I suggest leaving VBScript behind and learning PowerShell instead. This article may be helpful:

    http://jkeohan.wordpress.com/2012/01/13/query-security-log-using-powershell/

    This will most likely be way over your head to begin with, so I highly suggest starting here and getting your feet wet before even trying anything in the article linked above:

    http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx


    Don't retire TechNet! - (Don't give up yet - 13,085+ strong and growing)

    Friday, December 12, 2014 4:16 PM
  • Your post isn't really a scripting question but more of a vague idea of what you think you need to do.

    You need to ask a more precise and specific question. The following posts will give you some guidance on how to ask a good question:


    -- Bill Stewart [Bill_Stewart]


    Bill, Sorry for being vague.  I thought I was more clear in my question than I obviously was.  So I will try again.

    Scenario:
    I have a VBScript that parses Windows 7 security eventlogs into csv format.  The user field is blank due to the structure of Windows 7 eventlogs.  I have searched for weeks on the internet for a solution so I decided to go ahead and ask for help.

    Question:
    How do I parse out the username which is contained in the event data that triggered the event using VB Script?

    If this is not the right forum to post in please let me know and I will remove the post and move on.

    Friday, December 12, 2014 4:42 PM
  • We can only help if you post a minimal code example - this means a very short script that contains only the absolute minimum amount of code needed to illustrate your question. See http://sscce.org/.


    -- Bill Stewart [Bill_Stewart]

    Friday, December 12, 2014 7:53 PM
    Moderator
  • To extract this value you need to get the value in "ReplacementStrings"  It can be a different element in the array for those records that contain the username. 

    I recommend doing this with PowerShell as it is much easier to use Get-WinEvent to extract details data from the XML images of the logs.  Itf you insiste on pursuing the more difficult and nearly obsolete method with VBScript then I recommend 1) leaning how the Eventlog is structures and 2) review the numerous examples in the Repository.


    ¯\_(ツ)_/¯

    Friday, December 12, 2014 8:17 PM