Windows Log Files


Today I needed to dig on a client's set of log files. I'm happy with text-based log files, but this time most of the research has to be done on Windows 2003 Server Event Logs. The problem is that in order to view this files you have to be running Windows 2003 Server and you have to use the Event Viewer program (or so I thought).

After having some trouble because I was not aware that Event Viewer is not happy when your files are read-only (as when you are handed over a copy on a CD-ROM) I decided it has to be a better way. Unfortunately, Event Viewer error message just said "wrong parameter" which is not telling you much about the cause of the problem.

A bit of Google and I discovered a software gem called LogParser, which can parse most of the different log files Microsoft OSs and applications create and, to ice the cake you can present your queries using SQL sentences on the command line. Many input and output formats are supported and it can also deal with your Apache server using NCSA format if you are running Linux.

Given that LogParser is a command line tool, there are certain things a GUI-based tool might seem more appropriated (especially when you are planning on browsing the log contents as opposed to be looking for an specific piece of information). A bit more Google and I learned about Event Log Explorer which is exactly a more user-friendly version of Microsoft Event Viewer, with several nice search and filtering options. This program is not free but you can download a trial version for free to see if it fits your needs. BTW, be warned this program (as MS Event Viewer) won't work if your log files are on read-only media.

Event Log files tend to get quite large if you monitor many activities (or if you have many users, or just a few but very active ones) but the good news is that these files are highly compresible. A quick test revealed that WinRAR packed in just 18 MB more than 536 MB made of several .evt files (almost a 30:1 ratio). Next time you are told the system will be wasting lots of harddisk space because you are keeping the logs for a while you know the answer to fight back.

Comments

Paul Cooley said…
In response to your question you left on Linux Lore :

I agree completely Logpaser is indeed a powerful tool. However, I've not heard nor have I seen
anything that indicates it has been made available for Linux. Maybe one day, but it isn't today.

Paul Cooley
misan said…
Thanks for the feedback.

I haven't tried to use LogParser over wine yet (or Codeweaver's CrossOver Office) but it might work.

Cheers,

Miguel

Popular posts from this blog

VFD control with Arduino using RS485 link

How to get sinusoidal s-curve for a stepper motor

Importing OpenSCAD designs into Onshape