Windows: Export and Analyze the Windows Eventlog


 

Aleks over at http://www.virtualistic.nl has posted a nice article about exporting the Windows eventlogs to a central share on the network via a scheduled job.

Since I reboot my Terminal Servers every day, I’ve made saving the eventlogs a part of my daily reboot script.

First off, download the tools DUMPEVT, LOGEVENT  and PSLOGLIST (=optional, you can also use DUMPEVT to clear the logs). These tools will help us save the logfiles, clear the logfiles and tell the eventlog what we’re doing.

My rebootscript is written in kixscript but this is up to you. (use cmd, vbscript or powershell if you know how).

A little chunk of the script looks like this (click).

The following things happen in this example:
1) A directory is created to save the logfiles (YEAR-MONTH-DAY)
2) We then use DUMPEVT to save the System, Application and the Security logs and save that to the location specified in step 1
3) PSLogList is used to clear the eventlogs we saved in step 2
4) Then we use LogEvent to log that we cleared the logs (are u still there?)
If everything went smoothly you should see this list at the fileserver location where the eventlogs have been stored.

I asked Aleks which tool he used for analyzing his evelogs.csv files. He came up with the tool Ultraedit and I must say, it works fantastic but I wanted to see if there where more options. First I wanted to analyze the logfiles with Powershell but this was too heavy for me (at the moment 😉 ). A couple of days ago I saw the tool called BareGrep.exe. This is grep (linux command) with a Windows gui. Baregrep is a single executable, so you don’t have to install anything.

After downloaden BareGrep.exe just double click to start the tool. Select the options you want to use, enter the folder/path and the final step, enter your keyword(s) and press return.

image 

After a couple of seconds, depends on how much logfiles you want to search in. You’ll see the following output in BareGrep:

image

You can open the specific file with a double click on the line.

Conclusion: you can build a central store for al the eventlogs and analyze these files with different tools. I like BareGrep for this job, because it’s free, a single file, and easy to use.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s