Export events including Event Properties from Windows Event Viewer
This post came to life after a request to produce an overview of how many prints every user produced on a special printer from our print server. Since we have no print accounting software installed on our Windows 2003 Server I had to come up with a new solution to this problem. The actual print accounting part will be posted in another post…
The solution I came up with was to enable auditing on printing and then gather information from the System log in the Event Viewer. But first I had to export the necessary data from the Event Viewer since a normal export using the “Export List…” function by right clicking a log would not give me a good enough detail level including Event Properties.
After some research I found a Windows tools called eventquery.vbs which is located in the windows/system32 folder on most Windows PCs. It’s a script that lists the events and event properties from one or more event logs.
Export log info
This is the switches I used to export Event Viewer events from System
cscript c:\windows\system32\eventquery.vbs /fi "Type eq Information" /fi "Source eq Print" /fi "ID eq 10" /v /l System /fo csv > Event_Viewer_System.csv
The syntax I used was to filter (/fi) out
- Events equal the type “Information”
- filter out Source equal to “Print”
- filter out ID equal “10”
- and have a verbose (/v) output
- from the System log (/l System)
- output as comma separated file (/fo)
- and redirect the result to a file > filename.csv
More info about the eventquery.vbs tool can be found by following the link under Sources.
The result from this export can look something like this
"Information","10","12.05.2009 13:24:48","Print","Servername","None","AD\username","Document 232, filename.pdf owned by username was printed on printername via port IP_192.168.0.254. Size in bytes: 279232; pages printed: 1"
If you look at the image below you’ll understand where I got the filter type info from.
These data now gives me the opportunity to filter out the data I need to create a simple print accounting on my users, and that is posted in the post named Simple Windows Print Accounting using Event Viewer data.
Source: eventquery.vbs
This post can also be used to export from any Event Viewer data log like Application, Security, Internet Explorer or other logs you have on your system.