Microsoft purposely prevents you from doing this. The whole concept of the Event Viewer is to present to you certain events that may require your attention. If one could go in and delete any random event, then the system could - in a sense - be compromised without you knowing, therefore making it unsafe.
If you have an error event logged, find out what is causing the problem and fix it. You don't want to patch a hole in a dam by sticking a wad of gum in the hole.
If something is logging informational or caution events too often, then many times the event log source (either Microsoft or a third-party) has some setting that indicates how often or to what level of logging is configured for the application. That is where you go to minimize the logging, not by doing surgery on the event log.
I'm doing exactly this in a script by way of PowerShell. The whole upload-to-database script is about 18K so I'm not going to repost the entire thing here (though I have the generic ideas here). Handling the XML is pretty simple.
The command to get the event data is what you already know.
wevtutil qe Security /r:$DC /q:"*[System[((EventID=$LogonID or EventID=$FLogonID or EventID=$LogoffID or EventID=$LockoutID) and TimeCreated[@SystemTime > '$LUFilterString'] and TimeCreated[@SystemTime < '$NowFilterString'] )]] " > $DC-events.xml
The variables in that should be clear. I'm tracking login, logout, and lockout events. Generating the "NowFilterString" in the funny format wevtutil requires:
$Now=get-date
$Msec=$now.Millisecond
$NowFilterString=$Now.AddSeconds(-1).AddMilliseconds(-$Msec).ToUniversalTime().ToString("O")
I'm truncating the milliseconds down to zero to better handle edge cases.
So now you have an XML file. Now what? To parse that XML file:
get-content ".\$DC-events.xml" | foreach {
$Event=[xml]$_
$DateTime=[datetime]$Event.event.System.TimeCreated.GetAttribute("SystemTime")
codecodecodecode
}
Accessing individual elements is done by:
foreach ($Data in $Event.event.EventData.get_childNodes()) {
if ($Data.Name -eq "TargetUserName") { $User=$Data."#text"}
elseif ($Data.Name -eq "IpAddress") {$IP=$Data."#text"}
}
Or another example
foreach ($Data in $Event.event.EventData.get_childNodes()) {
if ($Data.Name -eq "TargetUserName") {$User=$Data."#text"}
elseif ($Data.Name -eq "WorkstationName") {$MachineName=$Data."#text"}
elseif ($Data.Name -eq "IpAddress") {$IP=$Data."#text"}
# Ensure only failed logins to the right domain are processed:
elseif ($Data.Name -eq "TargetDomainName") {$Domain=$Data."#text"}
}
I hope this helps you figure out XML parsing. Since this is PowerShell, most of these are readily convertible to standard .NET calls.
Best Answer
It seems to me that if you really want real time data you could do a lot worse then go back to logon/logoff scripts. If you need the IP address of the client machine and are only getting the machine's name why not simply do an nslookup on it in the script? Depending on the scripting language you use there may even be a built-in function to do the lookup.
I'm sure plenty of others will have different ideas but if you do want to parse the event logs, for this or any other reason, Perl not only has the modules, it's hard to beat for processing the data. If you go down that path, regardless of the language you choose to use, I suggest you send the data you are interested to a database, from where it is much more easily manipulated, search, etc. Again, Perl makes this easy.