Help

 -h GRAMMAR                  : SQL Language Grammar
 -h FUNCTIONS [ <function> ] : Functions Syntax
 -h EXAMPLES                 : Example queries and commands
 -h -i:<input_format>        : Help on <input_format>
 -h -o:<output_format>       : Help on <output_format>
 -h -c                       : Conversion help
 

Audit Logon Events

Event ID: 528
A user successfully logged on to a computer.

Event ID: 538
The logoff process was completed for a user.

Event ID: 682
A user has reconnected to a disconnected terminal server session.

Event ID: 683
A user disconnected a terminal server session without logging off.

Event ID: 540
A user successfully logged on to a network.

Windows 2000/XP/2003 event id 528 with logon type 2

c:>logparser.exe "select TimeGenerated, SID from \\wksname\Security where EventID = 528" -i EVT -resolveSIDs:ON -q:ON   -o:TSV >> c:\UserLogons.txt

-resolveSIDs:ON

Log Parser 2.2

Windows Vista/2008/7 Event id 4624 with logon type 2

c:>wevtutil qe Security /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task=12544 and (EventID=4624)] and EventData[Data[@Name='LogonType']='2']]" /e:Events > c:\UserLogons.xml

 -o:<output_format>  :  one of CSV, TSV, XML, DATAGRID, CHART, SYSLOG,
                        NEUROVIEW, NAT, W3C, IIS, SQL, TPL, NULL (if omitted,
                        will guess from the INTO clause)

# GUI: DATAGRID
logparser.exe -i:EVT -o:DATAGRID "SELECT TimeGenerated, EventID, message FROM System"

GRAMMAR   <-- SQL Language Grammar

EXTRACT_TOKEN

SELECT
      timegenerated,
      EXTRACT_TOKEN(Strings,1,'|') AS Domain,
      EXTRACT_TOKEN(Strings,0,'|') AS User,
      EXTRACT_TOKEN(Strings,3,'|') AS SessionName,
      EXTRACT_TOKEN(Strings,4,'|') AS ClientName,
      EXTRACT_TOKEN(Strings,5,'|') AS ClientAddress,
      EventID
FROM %Source%
WHERE EventID=682
ORDER BY timegenerated

The "EXTRACT_TOKEN" is a log parser function whose explanation far exceeds our purpose in this tutorial.  In short, it is pulling out numbered and delimited fields within a field called "Strings" and is assigning them a field name for use by the query.  The "fields" within "Strings" vary by EventID and you need to research them and create the queries as you go along. 

Example:

<1>

LogParser "SELECT TimeGenerated, SourceName,
EventCategoryName, Message INTO report.txt FROM Security WHERE
EventID = 528 AND SID LIKE '%TESTUSER%'" -resolveSIDs:ON

<2>

SELECT    STRCAT(TO_STRING(sc-status), REPLACE_IF_
NOT_NULL(TO_STRING(sc-substatus), STRCAT('.',TO_
STRING(sc-substatus))))
AS Status,
   COUNT(*) AS Total
FROM ex*.log
TO StatusCodes.html
GROUP BY Status
ORDER BY Status ASC

<3>

logparser.exe -i:EVT -o:DATAGRID "SELECT T
imeGenerated, EXTRACT_TOKEN(Strings,0,'|') AS User, EventID FROM Security where
EventID = 682 AND User LIKE '%Aileen%'" -resolveSIDs:ON