A change to the fields in the Netlogon.log file from Windows 2012 and above

by Jeremy Saunders on December 13, 2013

If you collate and report on the Netlogon.log files from Domain Controllers, you’ll notice that many existing scripts may fail to correctly split the lines when processing the logs from Windows 2012 Domain Controllers; unless of course you’ve already noticed and made an allowance for it.

Here is a sample of the contents from a Windows 2008 R2 Netlogon.log file:


Here is a sample of the contents from a Windows 2012 R2 Netlogon.log file:


The additional field in square brackets is the process ID (PID). This is indeed a new feature introduced into Windows Server 2012, Windows 8 and above where it logs the process ID of the application logging the event in the Netlogon.log file. So now the fields within the Netlogon.log differ from that of older Windows Operating Systems.

I have not read or found a single article from Microsoft to explain this other than one mention in a TechNet blog.

I’m not complaining, as this is very handy information, but had broken a couple of my scripts as it caught me by surprise. It would be nice if Microsoft had released updates for older OS’s too.

It’s no big deal, and easily fixed in a script by either processing the fields differently depending on OS version or simply using a regular expression to remove the PID field when you get the contents of the Netlogon.log file using the Get-Content cmdlet.

For example:

$NetlogonLog = Get-Content -Path $pathtothenetlogondotlogfile\Netlogon.log |
  Foreach-Object {$_ -replace "\[\d{1,5}\] ", ""}

So now when you export this to a CSV, all fields across all Netlogon.log files will be consistent.

I hope this quick post helps to remove any confusion.

See here for the full script.

Jeremy Saunders

Jeremy Saunders

Independent Consultant | Contractor | Microsoft & Citrix Specialist | Desktop Virtualization Specialist at J House Consulting
Jeremy is a highly respected, IT Professional, with over 30 years’ experience in the industry. He is an independent IT consultant providing expertise to enterprise, corporate, higher education and government clients. His skill set, high ethical standards, integrity, morals and attention to detail, coupled with his friendly nature and exceptional design and problem solving skills, makes him one of the most highly respected and sought after Microsoft and Citrix technical resources in Australia. His alignment with industry and vendor best practices puts him amongst the leaders of his field.
Jeremy Saunders
Jeremy Saunders
Jeremy Saunders

Previous post:

Next post: