Solved Want to write wevtutil output to a text file...plz help

October 10, 2013 at 01:30:08
Specs: Windows 7
Hello everyone,

I have to write a security event log to a text file for which I've used the following wevtutil command and its working flawlessly.

wevtutil qe Security /rd:true /f:text /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 12800 and (band(Keywords,4503599627370496)) and (EventID=4656)]]" > C:\Users\main\Desktop\gg.txt

I want it to be created on the fly as the event is generated so putting the batch file in the task scheduler is the only way out. The problem is it'll be too difficult for me to learn batch file programming just for this one purpose!! Sorry I am being frank.

Can you guys please help me out in creating a batch file which writes the output to a text file?

Thank you.


See More: Want to write wevtutil output to a text file...plz help

Report •


✔ Best Answer
October 10, 2013 at 07:45:01
I apologize for my previous post; I am running XP and Vista and only occasionally Win 7. Task Manager allows the ONEVENT option to be set in command line mode, but you can more easily setup the task using the GUI interface. Just create the script as below (one line command) name it as MySentinel.bat and create the related task in the GUI. No need to use command line interface to create the task to be scheduled.

@wevtutil qe Security /rd:true /f:text /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 12800 and (band(Keywords,4503599627370496)) and (EventID=4656)]]" > C:\Users\main\Desktop\gg.txt



#1
October 10, 2013 at 03:19:20
I do not understand what you need since the command you posted just redirects the output to a text file. If you want the tool is executed on the fly at event occurence, task scheduler is not the right way because it is aimed to plan applications launch on regular shifts. It is impossible for a batch script to be event driven i.e. at interrupts occurence. Sorry but you need something else.

Report •

#2
October 10, 2013 at 03:59:38
Thanks for the reply. But I do see the option of actions being triggered by events (by log, source, eventid) in task scheduler in Win 7.

Here's a scenario:

I setup a folder for auditing in D:\. I give it access denied for a particular user say temp.
The moment temp gets an error while trying to access that folder an event is generated (id:4656) in the event viewer. Now if I set the task scheduler to execute the above command, which would be inside a batch file, on the generation of event id 4656 I can get the text file output, isn't it??

message edited by exus69


Report •

#3
October 10, 2013 at 07:41:34
Might be an obvious question, but why do you want to dump the Security Log of handle requests to a text file?

How To Ask Questions The Smart Way


Report •

Related Solutions

#4
October 10, 2013 at 07:45:01
✔ Best Answer
I apologize for my previous post; I am running XP and Vista and only occasionally Win 7. Task Manager allows the ONEVENT option to be set in command line mode, but you can more easily setup the task using the GUI interface. Just create the script as below (one line command) name it as MySentinel.bat and create the related task in the GUI. No need to use command line interface to create the task to be scheduled.

@wevtutil qe Security /rd:true /f:text /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 12800 and (band(Keywords,4503599627370496)) and (EventID=4656)]]" > C:\Users\main\Desktop\gg.txt


Report •

#5
October 10, 2013 at 12:23:59
@Razor2.3, I am setting up my dads computer in such a way that if someone tries to access his personal folder he can come to know about it by checking the text file. He will not go to the length of opening event viewer and filtering the logs.

@IVO, no problems with that by the way, what do you mean by "create the related task in the GUI"? One more thing I noticed when I created the batch file and ran it with admin credentials was that it worked correctly but it also opened a black cmd window which needed to be closed manually everytime I ran the batch file. How do I ensure it does not stay on the screen ?

Please help


Report •

#6
October 10, 2013 at 19:47:16
Maybe:
START /MIN batch.bat
as the action invoked by the event, and of course "batch" has your wevtutil string and as final line: EXIT
You also might want to change > to >> for your output redirection for a bigger picture.

Report •


Ask Question