Powershell – Parse wevtutil XML into a database

powershellwindows-event-logwindows-server-2008xml

I'm by no means an XML expert. Ergo, I'm having trouble importing Windows event XML from wevtutil into an SQL database. Prior to Server 2008, we exported event log data to the database directly using Log Parser 2.2, but logparser hasn't been upgraded to handle Server 2008 event logs gracefully.

Here's what I know how to handle:

<Field1>text</Field1>
<Field2>text</Field2>
<Field3>text</Field3>
<Field4>text</Field4>

Here's the somewhat different format that wevtutil creates when exporting event logs to XML:

<Field1>text</Field1>
<Field2>text</Field2>
<EventData>
    <Data Name='Field3'>text</Data>
    <Data Name='Field4'>text</Data>
</EventData>

Is there a relatively straightforward way to import this stuff into a database, mapping <Data Name='Field3'> to [Field3] and so on? I'm OK with writing a VB script (or whatever) to parse through the data one row at a time and insert it into the database one row at a time, if I really need to reinvent the wheel. However, I would prefer to stand on the shoulders of giants. Any suggestions, other than to check my question for mixed metaphors?

(note: this would be a recurring process, so it can't require GUI-only tools.)

Best Answer

I'm doing exactly this in a script by way of PowerShell. The whole upload-to-database script is about 18K so I'm not going to repost the entire thing here (though I have the generic ideas here). Handling the XML is pretty simple.

The command to get the event data is what you already know.

wevtutil qe Security /r:$DC /q:"*[System[((EventID=$LogonID or EventID=$FLogonID or EventID=$LogoffID or EventID=$LockoutID) and TimeCreated[@SystemTime > '$LUFilterString'] and TimeCreated[@SystemTime < '$NowFilterString'] )]] " > $DC-events.xml

The variables in that should be clear. I'm tracking login, logout, and lockout events. Generating the "NowFilterString" in the funny format wevtutil requires:

$Now=get-date
$Msec=$now.Millisecond
$NowFilterString=$Now.AddSeconds(-1).AddMilliseconds(-$Msec).ToUniversalTime().ToString("O")

I'm truncating the milliseconds down to zero to better handle edge cases.

So now you have an XML file. Now what? To parse that XML file:

get-content ".\$DC-events.xml" | foreach {
    $Event=[xml]$_
    $DateTime=[datetime]$Event.event.System.TimeCreated.GetAttribute("SystemTime")
    codecodecodecode
}

Accessing individual elements is done by:

foreach ($Data in $Event.event.EventData.get_childNodes()) {
            if ($Data.Name -eq "TargetUserName") { $User=$Data."#text"}
            elseif ($Data.Name -eq "IpAddress") {$IP=$Data."#text"}
        }

Or another example

foreach ($Data in $Event.event.EventData.get_childNodes()) {
    if ($Data.Name -eq "TargetUserName") {$User=$Data."#text"}
       elseif ($Data.Name -eq "WorkstationName") {$MachineName=$Data."#text"}
       elseif ($Data.Name -eq "IpAddress") {$IP=$Data."#text"}
       # Ensure only failed logins to the right domain are processed:
       elseif ($Data.Name -eq "TargetDomainName") {$Domain=$Data."#text"}
    }

I hope this helps you figure out XML parsing. Since this is PowerShell, most of these are readily convertible to standard .NET calls.

Related Solutions

Windows Server 2008 – Email on Event Variables

I went about this a bit differently, but this approach generates emails on new events that match a custom filter, with all the event details included in the email body.

1) Create a 'Custom View' in the Event Viewer with your desired filter.

2) Once you have the view, you should see a link to 'Attach Task to This Custom View...'.

I chose to use sendMail.exe from here (http://caspian.dotconf.net/menu/Software/SendEmail/) which I extracted to C:\sendmail. The reason is Microsoft's 'Send an email' action has issues with SMTP authentication and also apparently isn't even present in Server 2012.

So in my case I selected 'Start a program' while attaching the task to the Custom View. But we're going to edit it as XML so don't worry about filling it in via the GUI.

3) Export the new Task to XML, we'll be editing it later.

4) Create a 'mail-event.bat' file under C:\sendmail folder with the following 3 lines:

C:\Windows\system32\wevtutil.exe qe Application /f:text /q:"<QueryList><Query Id='0' Path='Application'><Select Path='Application'>*[System[(EventRecordID=%1)]]</Select></Query></QueryList>" > C:\sendmail\%1.log
C:\sendmail\sendEmail.exe -s <smtp_server> -f <from> -xu <user> -xp <pass> -t <to> -u "<subject>" -o message-file=c:\sendmail\%1.log
del C:\sendmail\%1.log

Obviously, replace 'smtp_server', 'from', 'user', 'pass', 'to', 'subject' with the desired values.

This will create a '$(EventRecordID).log' file under C:\sendmail with all the details for that event, mail it, and then delete it.

You can test if the batch file works by going into Event Viewer, opening an event in your Applications log, switching to Details tab, selecting 'XML View' and then look for EventRecordID. Copy that integer, and then run from the command line:

C:\sendmail> log-event.bat 53522

Of course, replacing 53522 with the value from the EventRecordID node. If you receive the email, go to your happy place.

NOTE WELL: You might have noticed the string 'Application' shows up a couple times in the command line for wevtutil.exe -- that's because I couldn't seem to get it to work by pointing it directly at the Custom View, and my Custom View happened to be a sub-set of events that are all inside the Application log. You might have to adjust that to make it work in your case if your trying to mail events from the System log, for example.

5) Edit the XML you exported, we're going to make two changes:

First, add the following 'ValueQueries' node into the XML under the 'EventTrigger' node:

<EventTrigger>
  <Enabled>true</Enabled>
  <Subscription>...snip...</Subscription>
  <ValueQueries>
    <Value name="EventRecordID">Event/System/EventRecordID</Value>
  </ValueQueries>  
</EventTrigger>

NOTE: In the above, I snipped the 'Subscription' info which will have been filled in based on the Custom View you created. Don't copy my 'Subscription' into your XML!

Second, replace the Actions node with the following:

<Actions Context="Author">
   <Exec>
     <Command>C:\sendmail\mail_event.bat</Command>
     <Arguments>$(EventRecordID)</Arguments>
   </Exec>
</Actions>

Now, cause a new event to appear in your Custom View, and you should automatically get the email notification! Woohoo!

Exporting logon/logoff events from Windows event log

It seems to me that if you really want real time data you could do a lot worse then go back to logon/logoff scripts. If you need the IP address of the client machine and are only getting the machine's name why not simply do an nslookup on it in the script? Depending on the scripting language you use there may even be a built-in function to do the lookup.

I'm sure plenty of others will have different ideas but if you do want to parse the event logs, for this or any other reason, Perl not only has the modules, it's hard to beat for processing the data. If you go down that path, regardless of the language you choose to use, I suggest you send the data you are interested to a database, from where it is much more easily manipulated, search, etc. Again, Perl makes this easy.

Best Answer

Related Solutions

Windows Server 2008 – Email on Event Variables

Exporting logon/logoff events from Windows event log

Related Topic