RE: [logs] NT Logs

From: dgillettat_private
Date: Thu Feb 07 2002 - 01:39:38 PST

  • Next message: Matt Zimmerman: "Re: [logs] Tool for Statistical LogAnalysis over time?"

    1.  I wrote code a couple of years back to collect event logs from 
    the machines on my network.  It's not that hard, except when the 
    event sequence number eventually rolls over, or when an old machine 
    is replaced by a new one with the same name.
    
    2.  The event descriptions come from text resources in the .DLL file 
    specified in the registry entries defining the event source.  There 
    is no inherent reason why this has ANYTHING to do with PerfLib, 
    although there may very well be applications out there who choose to 
    put both into the same .DLL file.
      Note that the application does not need to be installed, the .DLL 
    file just has to be present at the location specified to the EventLog 
    section of the registry.
    
    Dave Gillett
    
    
    On 4 Feb 2002, at 14:59, Richardson, Stephan wrote:
    
    > Gonzalo,
    >     A nice tool that I have found is called EventCl,  by Gareth Isaac,  here
    > http://www.mobiusware.com/freeware <http://www.mobiusware.com/freeware> .
    > This will allow you to consolidate your NT server logs, System, Application,
    > and Security to one system.  The logs for each system will be there after
    > you dump them, which can be done from a batch file, automated, etc.  You
    > will have to 'consolidate' them together yourself.   I am sure that is
    > something you can do with Perl fairly easily or at least with some basic NT
    > shell commands.  DumpEl for the NT Resource Kit will do the same, but
    > EventCl allows for log renaming, autosave to other system, etc that I find
    > works nicely.
    >  
    >     Regarding the EventID descriptions, those come from the Performance
    > Monitor Libraries, (PerfLib) for the particular application/system in
    > question.  For instance, if you want to view MS Exchange Performance
    > counters, you need to have Exchange loaded (at least the Administrator
    > program) on the PC in question.  Or you could try to 'hack' the performance
    > libraries onto the log station using the lodctr util mentioned here.  Where
    > you can locate the other perflibs for other things like SQL, etcetera, is
    > something I do not know.
    >     I tried this once in the lab, with 'some' success.  YMMV
    >  
    > XADM: Restoring Lost Performance Counters for Exchange (Q156494)
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;q156494
    > <http://support.microsoft.com/default.aspx?scid=kb;EN-US;q156494> 
    >  
    > Steve
    >  
    > Verbose mode for Nate's signature.
    >  
    > This system has detected ambulatory rodentia, the operating system must be
    > reinitialized for full functionality.  System restarting....
    > (Since when did Windoze/InternetExploder/LookOut actually ask for permission
    > to restart?)
    > 
    >   -----Original Message-----
    > From: Gonzalo Garcia [mailto:GO_GARCIAat_private]
    > Sent: Monday, February 04, 2002 7:40 AM
    > To: loganalysisat_private
    > Subject: [logs] NT Logs
    > 
    > 
    > 
    > Hi, I´m trying to do some work with NT logs and I´ve some questions, 
    >  
    > Is possible to send all  the logs to only one machine ? I've a PDC and 30
    > BDC and  would be excellent to get the logs from only one server.
    >  
    > Where can I get the EventID descriptions ?
    >  
    > I'm writing a tiny perl script using Win32::Eventlog module, it works fine
    > the system logs but when I try to read the security logs and call
    > $hash->read(args ....) method  the User key of the hashref is not in text,
    > I´ve read some documents and there are "masks" to apply to some keys (e.g.
    > TimeGenerated ) but I could not find the mask, if any for the User key. Does
    > someone have some experience with this ?  ( $Win32::EventLog::GetMessageText
    > is already set to 1 ). 
    >  
    > Does any know how to do this stuff using MFC or any non-commercial software
    > ?  I just want to read the logs and according with the EventID send a
    > message ( may be the hole record ) to a DB server.
    >  
    >  
    >  
    >  
    > Sorry about my English. 
    > Thanks in advance,
    > Gonzalo S. García.
    >  
    >  
    >  
    >  
    >  
    > 
    > 
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    > For additional commands, e-mail: loganalysis-helpat_private
    > 
    > 
    > 
    
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Thu Feb 07 2002 - 10:28:32 PST