-
Notifications
You must be signed in to change notification settings - Fork 434
Microsoft Log Parser 2.2 Query Language (Light Mode & Dark Mode) #369
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| /* Example 01 - Find Remote Desktop Logons */ | ||
| LogParser.exe "SELECT TimeGenerated, EXTRACT_TOKEN(Strings, 5, '|') AS UserName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP, EXTRACT_TOKEN(Strings, 8, '|') AS LogonType FROM 'events.evtx' WHERE EventID = 4624 AND LogonType = '10' ORDER BY TimeGenerated DESC" -i:EVT -o:DATAGRID | ||
|
|
||
| /* Example 02 - Parse the IIS log C:\inetpub\logs\LogFiles\ABC\u_exXYZ.log and place the results in C:\Temp\inetsv1.log. */ | ||
| LogParser.exe "SELECT c-ip, cs-username, TO_DATE(TO_LOCALTIME(TO_TIMESTAMP(date, time))), TO_TIME(TO_LOCALTIME(TO_TIMESTAMP(date, time))), s-sitename, s-computername, s-ip, time-taken, sc-bytes, cs-bytes, sc-status, sc-win32-status, cs-method, cs-uri-stem, cs-uri-query INTO 'C:\Temp\inetsv1.log' FROM 'C:\inetpub\logs\LogFiles\ABC\u_exXYZ.log'" -i:IISW3C -o:IIS | ||
|
|
||
| /* Example 03 - Report the Path, Name, Size, and Attributes of files in the C:\Temp folder and store them in the C:\Temp\Files.tsv file */ | ||
| LogParser.exe "SELECT Path, Name, Size, Attributes INTO 'C:\Temp\Files.tsv' FROM 'C:\Temp\*.*'" -i:FS -o:TSV -recurse:0 | ||
|
|
||
| /* Example 04 - Find the SUM of all executables under C:\windows\system32\*.* */ | ||
| LogParser.exe "SELECT SUM(Size) FROM 'C:\windows\system32\*.*' WHERE TO_LOWERCASE(EXTRACT_EXTENSION(Name)) = 'exe'" -i:FS -recurse:0 -o:DATAGRID | ||
|
|
||
| /* Example 05 - Report all 4624 logon events and store them in the C:\Temp\Report.xml file. */ | ||
| LogParser.exe "SELECT TimeGenerated AS LogonDate, EXTRACT_TOKEN(Strings, 0, '|') AS Account INTO 'C:\Temp\Report.xml' FROM Security WHERE EventID IN (4624)" -i:EVT -o:XML |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| /* Example 01 - Find Remote Desktop Logons */ | ||
| LogParser.exe "SELECT TimeGenerated, EXTRACT_TOKEN(Strings, 5, '|') AS UserName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP, EXTRACT_TOKEN(Strings, 8, '|') AS LogonType FROM 'events.evtx' WHERE EventID = 4624 AND LogonType = '10' ORDER BY TimeGenerated DESC" -i:EVT -o:DATAGRID | ||
|
|
||
| /* Example 02 - Parse the IIS log C:\inetpub\logs\LogFiles\ABC\u_exXYZ.log and place the results in C:\Temp\inetsv1.log. */ | ||
| LogParser.exe "SELECT c-ip, cs-username, TO_DATE(TO_LOCALTIME(TO_TIMESTAMP(date, time))), TO_TIME(TO_LOCALTIME(TO_TIMESTAMP(date, time))), s-sitename, s-computername, s-ip, time-taken, sc-bytes, cs-bytes, sc-status, sc-win32-status, cs-method, cs-uri-stem, cs-uri-query INTO 'C:\Temp\inetsv1.log' FROM 'C:\inetpub\logs\LogFiles\ABC\u_exXYZ.log'" -i:IISW3C -o:IIS | ||
|
|
||
| /* Example 03 - Report the Path, Name, Size, and Attributes of files in the C:\Temp folder and store them in the C:\Temp\Files.tsv file */ | ||
| LogParser.exe "SELECT Path, Name, Size, Attributes INTO 'C:\Temp\Files.tsv' FROM 'C:\Temp\*.*'" -i:FS -o:TSV -recurse:0 | ||
|
|
||
| /* Example 04 - Find the SUM of all executables under C:\windows\system32\*.* */ | ||
| LogParser.exe "SELECT SUM(Size) FROM 'C:\windows\system32\*.*' WHERE TO_LOWERCASE(EXTRACT_EXTENSION(Name)) = 'exe'" -i:FS -recurse:0 -o:DATAGRID | ||
|
|
||
| /* Example 05 - Report all 4624 logon events and store them in the C:\Temp\Report.xml file. */ | ||
| LogParser.exe "SELECT TimeGenerated AS LogonDate, EXTRACT_TOKEN(Strings, 0, '|') AS Account INTO 'C:\Temp\Report.xml' FROM Security WHERE EventID IN (4624)" -i:EVT -o:XML |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| <NotepadPlus> | ||
| <UserLang name="Microsoft Log Parser (Dark Mode)" ext="pql" udlVersion="2.1"> | ||
| <Settings> | ||
| <Global caseIgnored="yes" allowFoldOfComments="no" foldCompact="no" forcePureLC="0" decimalSeparator="0" /> | ||
| <Prefix Keywords1="no" Keywords2="no" Keywords3="no" Keywords4="no" Keywords5="no" Keywords6="no" Keywords7="no" Keywords8="no" /> | ||
| </Settings> | ||
| <KeywordLists> | ||
| <Keywords name="Comments">00-- 01 02 03/* 04*/</Keywords> | ||
| <Keywords name="Numbers, prefix1"></Keywords> | ||
| <Keywords name="Numbers, prefix2"></Keywords> | ||
| <Keywords name="Numbers, extras1"></Keywords> | ||
| <Keywords name="Numbers, extras2"></Keywords> | ||
| <Keywords name="Numbers, suffix1"></Keywords> | ||
| <Keywords name="Numbers, suffix2"></Keywords> | ||
| <Keywords name="Numbers, range"></Keywords> | ||
| <Keywords name="Operators1">! % ( ) * + , / : ; < = > ? [ ] ^ { } "</Keywords> | ||
| <Keywords name="Operators2">!= <= <> == >=</Keywords> | ||
| <Keywords name="Folders in code1, open"></Keywords> | ||
| <Keywords name="Folders in code1, middle"></Keywords> | ||
| <Keywords name="Folders in code1, close"></Keywords> | ||
| <Keywords name="Folders in code2, open"></Keywords> | ||
| <Keywords name="Folders in code2, middle"></Keywords> | ||
| <Keywords name="Folders in code2, close"></Keywords> | ||
| <Keywords name="Folders in comment, open"></Keywords> | ||
| <Keywords name="Folders in comment, middle"></Keywords> | ||
| <Keywords name="Folders in comment, close"></Keywords> | ||
| <Keywords name="Keywords1">Ack Attributes BytesReceived BytesRecvd BytesSent CaptureFilename ClientAddress ClientHost ClientIP ClientIpAddress Comment Comments CompanyName ComputerName Connection ConnectionId Cookie CreationTime Data Date DateCreated DateLastAccessed DateLastModified DateTime DstIP DstMAC DstPayload DstPayloadBytes DstPort EndFrame EtherType EventCategory EventCategoryName EventID EventLog EventName EventNumber EventTimestamp EventType EventTypeName Extension FileDescription FileVersion Filename Frame FrameBytes FrameData FrameLength FrameNumber Frames FullPath Host HostName HttpStatus HttpSubStatus IPVersion Index InternalName KeyName LastAccessTime LastWriteTime LegalCopyright LegalTrademarks LogFilename LogRow LogTime Machine Message Method Mode Name ObjectClass ObjectGUID ObjectName ObjectPath Operation OriginalFilename Owner Parameters Path Payload PayloadBytes PrivateBuild ProcessId ProcessingTime ProductName ProductVersion PropertyName PropertyType PropertyValue Protocol ProtocolStatus ProtocolVersion ProviderName RecordNumber Referer RemoteHostName RemoteLogName Request RequestType RowNumber SID STDIN STDOUT Seq ServerAddress ServerIP ServerIpAddress ServerPort Service ServiceInstance ServiceStatus ShortName ShortPath SiteID SiteInstance Size SourceName SpecialBuild SrcIP SrcMAC SrcPayload SrcPayloadBytes SrcPort StartFrame StatusCode Strings SubStatus TCPFlags TTL Target Text Time TimeGenerated TimeTaken TimeWritten Type UriQuery UriStem Url User User-Agent UserData UserIP UserName Value ValueData ValueName ValueType Verb Win32Status Win32StatusCode WindowSize WindowsStatus X-Forwarded-For c-ProtocolVersion c-ip c-port cs cs-FTPDetailed cs-User-Agent cs-bytes cs-cookie cs-host cs-method cs-protocol cs-protocol-version cs-referer cs-uri cs-uri-query cs-uri-stem cs-username cs-version distinguishedName memberOf s-active-procs s-computername s-event s-ip s-kernel-time s-page-faults s-port s-process-type s-queuename s-reason s-siteid s-sitename s-stopped-procs s-total-procs s-user-time sAMAccountName sc-FTPCommand sc-bytes sc-cache-control sc-content-type sc-header sc-status sc-substatus sc-win32-status time-taken title userPrincipalName whenChanged whenCreated win32-status</Keywords> | ||
| <Keywords name="Keywords2">"WITH ROLLUP" ADD AVG BIT_AND BIT_NOT BIT_OR BIT_SHL BIT_SHR BIT_XOR CASE COALESCE COMPUTER_NAME COUNT DIV EXP EXP10 EXTRACT_EXTENSION EXTRACT_FILENAME EXTRACT_PATH EXTRACT_PREFIX EXTRACT_SUFFIX EXTRACT_TOKEN EXTRACT_VALUE FLOOR GROUPING HASHMD5_FILE HASHSEQ HEX_TO_ASC HEX_TO_HEX16 HEX_TO_HEX32 HEX_TO_HEX8 HEX_TO_INT HEX_TO_PRINT INDEX_OF INT_TO_IPV4 IN_ROW_NUMBER IPV4_TO_INT LAST_INDEX_OF LOG LOG10 LTRIM MAX MIN MOD MUL OUT_ROW_NUMBER PROPCOUNT PROPSUM QNTFLOOR_TO_DIGIT QNTROUND_TO_DIGIT QUANTIZE REPLACE_CHR REPLACE_IF_NOT_NULL REPLACE_IF_NULL REPLACE_STR RESOLVE_SID REVERSEDNS ROLLUP ROT13 ROUND RTRIM SEQUENCE SQR SQRROOT STRCAT STRCNT STRLEN STRREPEAT STRREV SUB SUBSTR SUM SYSTEM_DATE SYSTEM_TIME SYSTEM_TIMESTAMP SYSTEM_UTCOFFSET TIMESTAMP TO_DATE TO_HEX TO_INT TO_LOCALTIME TO_LOWERCASE TO_REAL TO_STRING TO_TIME TO_TIMESTAMP TO_UPPERCASE TO_UTCTIME TRIM URLESCAPE URLUNESCAPE WIN32_ERROR_DESCRIPTION</Keywords> | ||
| <Keywords name="Keywords3">"GROUP BY" "IS NOT NULL" "IS NULL" "ORDER BY" ALL AND ANY AS ASC BETWEEN BY DESC DISTINCT ELSE END FALSE FROM HAVING IN INTO JOIN LIKE NOT NULL ON OR SELECT THEN TOP TRUE USING WHEN WHERE</Keywords> | ||
| <Keywords name="Keywords4">ADS BIN CHART COM CSV DATAGRID ETW EVT FS HTTPERR IIS IISODBC IISW3C NAT NCSA NETMON REG SQL SYSLOG TEXTLINE TEXTWORD TPL TSV URLSCAN W3C XML</Keywords> | ||
| <Keywords name="Keywords5">-autoScroll -binaryFormat -c -categories -chartTitle -chartType -clearTable -colSep -comment -compact -compactModeSep -conf -config -consolidateLogs -createTable -dQuotes -database -dirTime -direct -direction -discardOversized -driver -dsn -dtEventsLive -dtEventsLog -dtLines -dtNodes -e -encodeDelim -expandEnums -fMode -fNames -facility -fieldName -file -fileMode -fileType -fixColNames -fixedFields -fixedSep -flushPeriod -formatMsg -fullEventCode -fullText -groupSize -h -headerRow -headers -hostName -i -iCOMParams -iCOMServer -iCheckpoint -iCodepage -iDQuotes -iHeaderFile -iProgID -iSeparator -iTsFormat -ignoreDSErrors -ignoreDspchErrs -ignoreEventTrace -ignoreIdCols -ignoreLostEvents -ignoreMinWarns -iw -legend -lineFilter -locale -maxCategoryLabels -maxPacketSize -maxStrFieldLen -minDateMod -msgErrorMode -multiSZSep -multiValuedSep -nFields -nSep -nSkipLines -noEmptyField -noEmptyFile -o -oCodepage -oConnString -oDQuotes -oDirTime -oSeparator -oTsFormat -objClass -parseBinary -password -processName -protocol -providers -q -queryInfo -rAlign -recurse -resolveSIDs -restoreDefaults -rootName -rootXPath -rowName -rtp -saveDefaults -schemaServer -schemaType -separator -server -severity -sourcePort -spaceCol -standAlone -stats -stringsSep -structure -tabs -tpl -tplFooter -tplHeader -transactionRowCount -username -values -view file </Keywords> | ||
| <Keywords name="Keywords6"></Keywords> | ||
| <Keywords name="Keywords7"></Keywords> | ||
| <Keywords name="Keywords8"></Keywords> | ||
| <Keywords name="Delimiters">00' 01 02' 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23</Keywords> | ||
| </KeywordLists> | ||
| <Styles> | ||
| <WordsStyle name="DEFAULT" fgColor="80FFFF" bgColor="FFFFFF" colorStyle="1" fontStyle="1" nesting="0" /> | ||
| <WordsStyle name="COMMENTS" fgColor="A4A4A4" bgColor="FFFFFF" colorStyle="1" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="LINE COMMENTS" fgColor="A4A4A4" bgColor="FFFFFF" colorStyle="1" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="NUMBERS" fgColor="FF6464" bgColor="FFFFFF" colorStyle="1" fontStyle="1" nesting="0" /> | ||
| <WordsStyle name="KEYWORDS1" fgColor="00B9B9" bgColor="FFFFFF" colorStyle="1" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="KEYWORDS2" fgColor="FF80FF" bgColor="FFFFFF" colorStyle="1" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="KEYWORDS3" fgColor="F58628" bgColor="FFFFFF" colorStyle="1" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="KEYWORDS4" fgColor="75CC00" bgColor="FFFFFF" colorStyle="1" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="KEYWORDS5" fgColor="5AA5F8" bgColor="FFFFFF" colorStyle="1" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="KEYWORDS6" fgColor="80FFFF" bgColor="FFFFFF" colorStyle="1" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="KEYWORDS7" fgColor="80FFFF" bgColor="FFFFFF" colorStyle="1" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="KEYWORDS8" fgColor="80FFFF" bgColor="FFFFFF" colorStyle="1" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="OPERATORS" fgColor="FFFFFF" bgColor="FFFFFF" colorStyle="1" fontStyle="1" nesting="0" /> | ||
| <WordsStyle name="FOLDER IN CODE1" fgColor="80FFFF" bgColor="FFFFFF" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="FOLDER IN CODE2" fgColor="80FFFF" bgColor="FFFFFF" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="FOLDER IN COMMENT" fgColor="80FFFF" bgColor="FFFFFF" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="DELIMITERS1" fgColor="C2C285" bgColor="FFFFFF" colorStyle="1" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="DELIMITERS2" fgColor="C2C285" bgColor="FFFFFF" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="DELIMITERS3" fgColor="80FFFF" bgColor="FFFFFF" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="DELIMITERS4" fgColor="80FFFF" bgColor="FFFFFF" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="DELIMITERS5" fgColor="80FFFF" bgColor="FFFFFF" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="DELIMITERS6" fgColor="80FFFF" bgColor="FFFFFF" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="DELIMITERS7" fgColor="80FFFF" bgColor="FFFFFF" fontStyle="0" nesting="0" /> | ||
| <WordsStyle name="DELIMITERS8" fgColor="80FFFF" bgColor="FFFFFF" fontStyle="0" nesting="0" /> | ||
| </Styles> | ||
| </UserLang> | ||
| </NotepadPlus> | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is an extra trailing space before the closing
</Keywords>tag here (... file </Keywords>). While likely harmless, it can introduce an unintended empty token and makes the Dark Mode UDL inconsistent with the Light Mode version; remove the extra whitespace.