Windows NT - Event Logging - Problems and Solutions (Diese Seite gibt es auch in Deutsch). This page was last updated 09. March 1998. ------------------------------------------------------------------------ Copyright © 1997-1998 Frank Heyne. If you want to put this page on your own web server, please renounce and use a link instead. The reason is simple: I don't want old copies with old versions of my programs laying around on the web. For those people who are not sure if they are viewing the page on a mirrored site: The address of the original page is http://rcswww.urz.tu-dresden.de/~fh/nt/eventlog/index.html ------------------------------------------------------------------------ At this page you will find tools to * Save * Clean * Evaluate * View and watch Eventlogs as well as a little FAQ regarding event logging on Windows NT. ------------------------------------------------------------------------ If you have questions which are not answered in my eventlog FAQ (or if you have answers to eventlog questions which are not in the there ;) you can mail me, of course. ------------------------------------------------------------------------ Problem 1: There is no utility delivered with Windows NT to schedule an automatic saving and deleting of the event log. Solution 1: [Image] I wrote a little tool, which does the job. Independently of how often you run it, there will be created 3 files monthly, called year_month_computer_xxx.evt, where xxx is Application, Security or System. For instance, the system log from a computer called UFO saved during July will be named 1997_07_UFO_System.evt. If this log contains events from earlier months, it will be split into the appropriate number of files, every of them containing only the events of one month. The option /A does allow to save the logs of the entire domain with one command! This tool is Freeware and small (27 KB). Download version 2.2 of EventSave.zip. This version will work with logs in overwrite mode, too ;-) ------------------------------------------------------------------------ Problem 2: For different reasons it is quite useful to save the event logs over a long time. But sometimes events of lower importance do flood the log. You would like to use a tool that removes all occurrences of events with this one ID. Solution 2: [Image] There is a little tool, which does the job with saved eventlog files. It is Freeware and small (20 KB). Download version 1.3 of EventDel.zip. There is no chance in deleting events in the current logs, by the way! ------------------------------------------------------------------------ Problem 3: There are you with your event log files. But you want to know when and how long which user logged on to which computer, or how many pages every user printed, or some other useful information. How will you get this information without own calculations? Solution 3: There is a collection of tools, called "Report Event for Windows NT", which does the jobs. Every tool offers abundant possibilities of the evaluation of one or two specific events. You have the possibility go choose if you want the report in text format or as data records, if you want summaries per user or exhaustive reports per event and more. You can even choose if the output is in OEM or ANSI character set. As you will know, OEM is the usual character set of the command line window. The use of this option is recommended if the output of the utility will not be piped and therefore be printed on the screen instead. ANSI is the usual character set for most GUI programs. The use of this option is recommended if you pipe the output of the utility into a file, which later will be processed with a GUI program. "Report Event for Windows NT" is a cheap Shareware. You can test every module of it for 4 weeks. If you find at least one of it useful and if you are willing to use it longer than 4 weeks, then you will pay a little registration fee and get a disk with the unrestricted versions of all released modules. Pay once and use all modules available! There are English and German versions of every tool available. To download the German versions, jump to the German page. At this time, the following tools are available: Version 2.8 EventList evaluates all or some logfiles. It gives [Image] a short summary about the kind and number of events 34 KB in every file. Version 3.2 R528 evaluates the events 528 and 538 of the [Image] Security log. It tells you how long every user 42 KB session continued, how many times every user was logged in and more. R529 evaluates the events 529 and 528 of the Security log. The program does tell you with which account name on what machine on what time somebody failed to log on. It tells you if it the attempt was made local or via the network. It does tell you Version 2.8 how many attempts made an attack and how long it [Image] was going on. To count 2 attempts to the same 41 KB attack, they must proceed from the same computer and the time difference between them must be less then 5 minutes. The program does tell you if the attack was successful or not. To consider an attack successful, there must be a successful logon (event 528) from the same machine within the time window of 5 minutes after the last failed attempt. R592 evaluates the events 592 and 593 of the Version 1.0 Security log. It tells you which programs were used [Image] by which users how often and how long. You can get 40 KB long lists (one line per event) or a summary, sorted by user (only available in the registered version) or by program name. Version 3.0 R20050 evaluates the RAS events 20050 and 20048 [Image] (connections to the RAS server) in the system log. 37 KB It tells you how long every user was logged in via RAS (per job or as summary over all jobs). RP10.exe evaluates the print event 10 (Printjobs) in the system log. It tells you how many pages every user printed (per job or as summary per Version 2.8 printer). If the system log has no information [Image] about the number of pages printed, the number of 38 KB bytes is reported. If you want to use this tool, first read carefully the documentation, which gives you some hints about what you can not expect from the print data written to the Eventlog! ------------------------------------------------------------------------ Problem 4: You are not too happy with the standard Eventviewer? And you probably want to get a hint when a critical event occurs, not some time later? Solution 4: [Image] Use Elwiz - the EventLog WIZard. Elwiz is an Eventlog viewer. There comes already Eventvwr.exe with Windows NT, so why should anybody use Elwiz? Elwiz can do nearly all what Eventviewer can do. Using Elwiz is much more convenient than using Eventviewer. Opening another eventlog does need much less mouseclicks. There is no need to double-click an event to see all its details; you get them by default. What can you do with Elwiz? * You can sort the log you are viewing by Source, category, Event-ID, Computer or Account. * You can filter it different ways, too. * You can save an active log into file(s) while clearing it. * You can save the open log into a tab delimited text file. If the open log is filtered, only the filtered log entries will be written to the file. No need to bother with file names, Elwiz always will suggest a filename which does not exist yet. * And Elwiz is more. It is an Event Watcher, too. You can tell it which machines it should watch. Immediately after an event occurs at a watched machine, a window will popup at your screen and show you all details. Probably you don't want the popup for every event, so you can exactly filter the popups regarding Eventgroup, Event-ID, User-ID, machine and even strings in the event description. * There is an option to scan all the logs which occurred since you did exit Elwiz the last time. Even if the logs were saved by EventSave in the meantime, Elwiz will show you these events (if the working directories of Elwiz and EventSave are the same). * And Elwiz is yet more. You can see who is logged on (locally as well as remotely) at every of the watched machines. For every user you can see available details like the number of successful or failed logons, how old the password is and so on. It tells you the uptime and eventlog settings of the machines. You can change all the eventlog settings including the CrashOnAuditFail registry key. * You can take a snapshot to see how much of the disk, pagefile and registry space is free. A nice graphics will show all these infos at a glance. You can print it out, if you want. What do you need to run Elwiz successfully? * You must be logged on with an account which does have Administrator rights at every machine you want to watch or view event logs. Download the Freeware version 1.15 of Elwiz (314 KB), which does allow you to watch 3 machines simultaneously. If you need to watch more machines, you can upgrade to a registered version. If you have already an older version of Elwiz, you might want to have a look at the history of the program first. I strongly recommend you read the file Read_Me!.wri once again ;-) ------------------------------------------------------------------------ You are reader [Image] of this page since 14. October 1996 Go to my Windows NT main page. Go to my Homepage.