Ok So I have this to create my blat input file but I am still getting to many results.
C:\Program Files\Log Parser 2.2>logparser "select extract_token(strings, 0, '|') as Account, TimeGenerated into file.csv from \\10.0.50.205\security where eventid in (530) " I only want events from today-1. ________________________________ From: Jake Gardner [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 2:53 PM To: NT System Admin Issues Subject: RE: Run a batch file to send emails Extract the date field the same way you extract the account field, then add it to your where clause. Thanks, Jake Gardner TTC Network Administrator Ext. 246 ________________________________ From: David McSpadden [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 2:32 PM To: NT System Admin Issues Subject: RE: Run a batch file to send emails select distinct extract_token(strings, 0, '|') as Account into file.csv from \\10.0.50.205\security where eventid in (530) How do I get just yesterday's 530 events? ________________________________ From: Jake Gardner [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 1:40 PM To: NT System Admin Issues Subject: RE: Run a batch file to send emails Logparser http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4 c25-91b2-f8d975cf8c07 Thanks, Jake Gardner TTC Network Administrator Ext. 246 ________________________________ From: David McSpadden [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 1:33 PM To: NT System Admin Issues Subject: Run a batch file to send emails I want to read an input file. It would comma delimited. It will have those users that have not logged off and are getting after hours logon events with their names. I only want to send 1 email per user so I would have to sort and then group then blat out the email. My format for the file is like this: 866265068,Security,Security,AUDIT FAILURE,031004LD5Z3K55,12/1/2008 12:49:14 AM,530,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Account logon time restriction violation User Name: DawnH Domain: IM_DOM1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: XP31090634014W Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.0.31.40 Source Port: 1087 866265066,Security,Security,AUDIT FAILURE,031004LD5Z3K55,12/1/2008 12:49:11 AM,530,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Account logon time restriction violation User Name: DawnH Domain: IM_DOM1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: XP31090634014W Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.0.31.40 Source Port: 1044 866265063,Security,Security,AUDIT FAILURE,031004LD5Z3K55,12/1/2008 12:49:07 AM,530,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Account logon time restriction violation User Name: DawnH Domain: IM_DOM1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: XP31090634014W Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.0.31.40 Source Port: 4976 866264132,Security,Security,AUDIT FAILURE,031004LD5Z3K55,12/1/2008 12:34:33 AM,530,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Account logon time restriction violation User Name: DavidE Domain: IM_DOM1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: XP250308200506 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.0.50.48 Source Port: 4656 866264130,Security,Security,AUDIT FAILURE,031004LD5Z3K55,12/1/2008 12:34:33 AM,530,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Account logon time restriction violation User Name: DavidE Domain: IM_DOM1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: XP250308200506 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.0.50.48 Source Port: 4614 866264128,Security,Security,AUDIT FAILURE,031004LD5Z3K55,12/1/2008 12:34:33 AM,530,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Account logon time restriction violation User Name: DavidE Domain: IM_DOM1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: XP250308200506 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.0.50.48 Source Port: 4572 866264126,Security,Security,AUDIT FAILURE,031004LD5Z3K55,12/1/2008 12:34:33 AM,530,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Account logon time restriction violation User Name: DavidE Domain: IM_DOM1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: XP250308200506 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.0.50.48 Source Port: 4529 So basically I want to skip everything except the User Name: and Workstation Name: I generate this list every morning for the prior day using psloglist and now I want to parse it and blat an email to the offenders telling them to shut down every night. Any ideas??? Data Security is everyone's responsibility. ***Teletronics Technology Corporation*** This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you. ******************************************************************* ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~