Microsoft Logparser and Log Parser Lizard are very power tools to query various data sources including Windows Event Logs. You don’t have to be expert programmer in order to write simple queries but it is desirable to have basic knowledge of SQL and its syntax. You can search for examples on the Internet on sites like this and this, and it will be good to read Logparser’s help which also has a comprehensive reference on query syntax. There are also a number of examples in Log Parser Lizard you should explore and play with. When you master writing queries you can write very complex queries for data analyses as you need.

Anyway here is a simple tutorial on how to use Log Parser Lizard:

1. Run the program and click on toolbar button “New Query”. A new query window will open.
2. Click on “Input Format” and select “Windows Event Log” (2nd one)
3. Write the query and click “Run Query” to get results.

Here are some sample queries to query event log:

Get all errors from system log (EventType=1)

select * from System where EventType=1

This query will filter all Events with EventID=1053 from Application Log

select TOP 100 * from application WHERE EventID=1053

And this query will prompt for input of EventID

select top 100 * from Application where EventID=<% return Microsoft.VisualBasic.Interaction.InputBox(“Please enter Event ID”,“Event ID”,“1053”) %>

This will count all grouped by Event Type. You can see a nice chart from this by clicking “Display Chart”

select EventTypeName, count(*) as [Number of events] from System group by EventTypeName

You can select logs from a file too:

SELECT * FROM ‘C:\logs\System.evtx’ WHERE EventType=1

In order to select event event logs on different server, you can write queries like this:

SELECT TOP 100 * FROM \\SERVERNAME\System

or to access multiple servers in one query, try this

SELECT TOP 100 * FROM \\SERVERNAME1\System, \\SERVERNAME2\System

The user that runs the query must have appropriate permissions to access event log (for instance, domain admin). Also not that you can’t parse Windows 7 evtx event files on Windows XP PC that supports only legacy evt log format and vice versa, you cant read evt log files on Windows 7.

I hope this was helpful and you will enjoy using Log Parser Lizard as many others do :)