Simple Windows Print Accounting using Event Viewer data

This post continues where my previous post titled Export events including Event Properties from Windows Event Viewer left off.

The data I’m going to work with was exported using eventquery.vbs and saved in a CSV-file, comma separated file and it is presented in the form shown below.

"Information","10","12.05.2009 13:24:48","Print","Servername","None","AD\username","Document 232, filename.pdf owned by username was printed on printername via port IP_192.168.0.254. Size in bytes: 279232; pages printed: 18"

I’m interested in the username, date/time printed and pages printed and will now show how I’ve accomplished that using some simple linux console commands.

awk -F, '{print $7 " " $3 " " $4 " " $NF}' Event_Viewer_System.csv | grep printername | awk '{print $1 "," $2 "," $3 "," $NF}' | sed 's/\"//g'|sort > PrintAccounting.csv

Result

username,14.05.2009,12:58:41,18
username,15.05.2009,09:24:13,2
username,15.05.2009,09:25:00,37
username,15.05.2009,09:30:03,2
username,15.05.2009,09:30:29,2
...

Where the fields contain username, date, time and the amount of printed pages.

A short description on whats being done

  • print out column 7, 3, 4 and last column where the separator is a comma (,) from the file Event_Viewer_System.csv
  • filter out the printer you are interested in
  • filter out again the data we are interested in
  • remove quote sign (“) from the list
  • sort the list ny username
  • redirect the output to a file

And that’s how you make a primitive print accounting system from data gathered in a Windows Server.
This particular example has been testen on data from a Windows 2003 Server, but I think it can be performed on other versions of Windows as well.