msgbartop
A chronological documentation test project, nothing serious, really!
msgbarbottom

13 May 2009 Export events including Event Properties from Windows Event Viewer

Posted by

This post came to life after a request to produce an overview of how many prints every user produced on a special printer from our print server. Since we have no print accounting software installed on our Windows 2003 Server I had to come up with a new solution to this problem. The actual print accounting part will be posted in another post…

The solution I came up with was to enable auditing on printing and then gather information from the System log in the Event Viewer. But first I had to export the necessary data from the Event Viewer since a normal export using the “Export List…” function by right clicking a log would not give me a good enough detail level including Event Properties.
Event Viewer

After some research I found a Windows tools called eventquery.vbs which is located in the windows/system32 folder on most Windows PCs. It’s a script that lists the events and event properties from one or more event logs.

Export log info
This is the switches I used to export Event Viewer events from System

cscript c:\windows\system32\eventquery.vbs /fi "Type eq Information" /fi "Source eq Print" /fi "ID eq 10" /v  /l System /fo csv > Event_Viewer_System.csv

The syntax I used was to filter (/fi) out

  • Events equal the type “Information”
  • filter out Source equal to “Print”
  • filter out ID equal “10”
  • and have a verbose (/v) output
  • from the System log (/l System)
  • output as comma separated file (/fo)
  • and redirect the result to a file > filename.csv

More info about the eventquery.vbs tool can be found by following the link under Sources.

The result from this export can look something like this

"Information","10","12.05.2009 13:24:48","Print","Servername","None","AD\username","Document 232, filename.pdf owned by username was printed on printername via port IP_192.168.0.254. Size in bytes: 279232; pages printed: 1"

If you look at the image below you’ll understand where I got the filter type info from.
Event Properties

These data now gives me the opportunity to filter out the data I need to create a simple print accounting on my users, and that is posted in the post named Simple Windows Print Accounting using Event Viewer data.

Source: eventquery.vbs

This post can also be used to export from any Event Viewer data log like Application, Security, Internet Explorer or other logs you have on your system.

Tags: , , ,

Comments are closed.