WMIC

[tonyflora63]

Hi

Does anyone know how to list the security log file success and failure audits?

I can list the system and application log files but can't get it to work for the security log file.

Thanks

<EDIT />

Actually I fiured it out myself. WMIC is not that well documented so you have to play with it to figure things out.

Here is the way to list security events by filtering:

:SECURITY LOG

WMIC NTEVENT WHERE "Type='audit success' and LogFile='Security'" GET LogFile,Type,Message,TimeGenerated /FORMAT:hform > reports\Seclog.htm

WMIC NTEVENT WHERE "Type='audit failure' and LogFile='Security'" GET LogFile,Type,Message,TimeGenerated /FORMAT:hform > reports\Seclog.htm

You use the "Where" statement and the "Type" and "LogFile" properties to specify the search criteria.

Below are some examples for the System and Application logs:

:Application Log

WMIC NTEVENT WHERE "LogFile='Application' and type='warning'" GET LogFile,Type, Message,TimeGenerated /FORMAT:hform > reports\AppLog.htm

WMIC NTEVENT WHERE "LogFile='Application' and type='Error'" GET LogFile,Type, Message,TimeGenerated /FORMAT:hform > reports\AppLog.htm

:System Log

WMIC NTEVENT WHERE "LogFile='System' and type='warning'" GET LogFile,Type, Message,TimeGenerated /FORMAT:hform > reports\SysLog.htm

WMIC NTEVENT WHERE "LogFile='System' and type='Error'" GET LogFile,Type, Message,TimeGenerated /FORMAT:hform > reports\SysLog.htm

This could probably be accomplished beter with powershell but unfortunately my work environment is limited as far as powerhell use goes.

Once we migrate over to Windows 7 powershell will be readily available. Until then this works for me.

Hope this is helpful to someone out there.

Regards,

Tony

Edited September 22, 2010 by Yzöwl
sequential posts merged.

[Yzöwl]

Instead of using the 'dos output character', >, you could use wmics own method.

e.e.

WMIC /OUTPUT:Reports\AppLog.html NTEVENT WHERE "LogFile='Application' AND Type='Error'" GET LogFile,Type, Message,TimeGenerated /FORMAT:hform

Obviously all on one line!