locked
How to query User field in 2008R2 app log? RRS feed

  • Question

  • User158988770 posted

    Does anyone know how to extract the "User:" field from server 2008R2 application event log?

    The data is not in the "Strings" field like in the SEC log Its below the strings field on the "General" tab of the app event log entry.

    Any help is really appreciated here.

    thanks

    Monday, March 20, 2017 3:23 PM

All replies

  • User-1499466209 posted

    Hi,

    as always PowerShell (and .NET) can do that. Not sure you can filter on the username with Get-EventLog but sure you can do it like this :

    ([System.Diagnostics.EventLog]::GetEventLogs() | ? {$_.log -like 'Application'} ).entries | where {$_.Username -eq 'THE_USER_U_WANNA_FILTER_ON'}

    Monday, March 20, 2017 3:40 PM