The data I’m going to work with was exported using eventquery.vbs and saved in a CSV-file, comma separated file and it is presented in the form shown below.

"Information","10","12.05.2009 13:24:48","Print","Servername","None","AD\username","Document 232, filename.pdf owned by username was printed on printername via port IP_192.168.0.254. Size in bytes: 279232; pages printed: 18"

I’m interested in the username, date/time printed and pages printed and will now show how I’ve accomplished that using some simple linux console commands.

awk -F, '{print $7 " " $3 " " $4 " " $NF}' Event_Viewer_System.csv | grep printername | awk '{print $1 "," $2 "," $3 "," $NF}' | sed 's/\"//g'|sort > PrintAccounting.csv

Result

username,14.05.2009,12:58:41,18
username,15.05.2009,09:24:13,2
username,15.05.2009,09:25:00,37
username,15.05.2009,09:30:03,2
username,15.05.2009,09:30:29,2
...

Where the fields contain username, date, time and the amount of printed pages.

A short description on whats being done

• print out column 7, 3, 4 and last column where the separator is a comma (,) from the file Event_Viewer_System.csv
• filter out the printer you are interested in
• filter out again the data we are interested in
• remove quote sign (“) from the list
• sort the list ny username
• redirect the output to a file

And that’s how you make a primitive print accounting system from data gathered in a Windows Server.
This particular example has been testen on data from a Windows 2003 Server, but I think it can be performed on other versions of Windows as well.

The solution I came up with was to enable auditing on printing and then gather information from the System log in the Event Viewer. But first I had to export the necessary data from the Event Viewer since a normal export using the “Export List…” function by right clicking a log would not give me a good enough detail level including Event Properties.

After some research I found a Windows tools called eventquery.vbs which is located in the windows/system32 folder on most Windows PCs. It’s a script that lists the events and event properties from one or more event logs.

Export log info
This is the switches I used to export Event Viewer events from System

cscript c:\windows\system32\eventquery.vbs /fi "Type eq Information" /fi "Source eq Print" /fi "ID eq 10" /v  /l System /fo csv > Event_Viewer_System.csv

The syntax I used was to filter (/fi) out

• Events equal the type “Information”
• filter out Source equal to “Print”
• filter out ID equal “10″
• and have a verbose (/v) output
• from the System log (/l System)
• output as comma separated file (/fo)
• and redirect the result to a file > filename.csv

More info about the eventquery.vbs tool can be found by following the link under Sources.

The result from this export can look something like this

"Information","10","12.05.2009 13:24:48","Print","Servername","None","AD\username","Document 232, filename.pdf owned by username was printed on printername via port IP_192.168.0.254. Size in bytes: 279232; pages printed: 1"

If you look at the image below you’ll understand where I got the filter type info from.

These data now gives me the opportunity to filter out the data I need to create a simple print accounting on my users, and that is posted in the post named Simple Windows Print Accounting using Event Viewer data.

Source: eventquery.vbs

This post can also be used to export from any Event Viewer data log like Application, Security, Internet Explorer or other logs you have on your system.