[logs] Re: Windows Event Logs

From: Eric Fitzgerald (ericf@private)
Date: Thu Jun 23 2005 - 18:58:32 PDT


Hi Muhammad,

Windows XP supports the same event set on all SKUs.

Thanks,

Eric 

-----Original Message-----
From: loganalysis-bounces+ericf=windows.microsoft.com@private
[mailto:loganalysis-bounces+ericf=windows.microsoft.com@private]
On Behalf Of Phil Hollows
Sent: Monday, June 13, 2005 10:50 AM
To: Muhammad Khan; loganalysis@private
Subject: [logs] Re: Windows Event Logs

Muhammed:

Re: (1)

%1 %2 ... are message-specific parameters that can only be resolved by
accessing the relevant message DLL's that ship with the product creating
the message.  This is true regardless of the platform (WinNT, 2k and
XP).  Resolving these requires that the application reading the log also
access the registry to determine the DLL, extract the message text using
the ID(s) in the event log data, and then format the resulting string
with the Win32 API function FormatMessage().  It's fairly complex Win32
API code which can take a long time to build and test (the protocol
allows for multiple message DLL's which have to be prioritized etc.),
which is why many event log shell covers simply don't bother.

It gets a lot worse when you are looking for remote log reading, because
the DLL and registry key you're after are on the remote system.  Also
you run into performance and scalability issues as remote calls run over
the network, so you then have to write a smarter log reader to be able
to handle the volume.  Even on local machines, you many see %1 etc. in
the event log - what this means is that the event viewer either couldn't
locate the DLL's (because they're not there or the registry hasn't been
set up correctly), or that the message ID in the event log isn't in the
DLL that it found.

If you need all the data properly populated and you want to write it
yourself then you have to do a lot of work on google and MSDN to find
the right samples (it isn't obvious, unfortunately, as this is
relatively arcane) and be a decent Windows API developer.  Or acquire a
third party tool that will do this for you.

Thanks,

Phil Hollows
OpenService, Inc.
www.openservice.com



-----Original Message-----
From: loganalysis-bounces+phil=open.com@private
[mailto:loganalysis-bounces+phil=open.com@private] On Behalf Of
Muhammad Khan
Sent: Monday, June 13, 2005 7:33 AM
To: loganalysis@private
Subject: [logs] Windows Event Logs

Hi Eric,
Thanks for your kind assistance and providing links for Windows Security
logs. This information is really useful. I had two questions.

1. The event logs in Windows 2000,XP, 2003 are stored in .evt format. 
I am interested in studying the information stored in parameters
labelled as %1, %2 etc. Could you please guide me how can I directly or
indirectly read these parameters separately. Though the whole
information of all the parameters of an event are accessible through
"Message" property of "LogEntry" class of .Net Framwork. But, I want to
access each parameter separately. How can I do it? 

2. How do "Home" and "Professional2 editions of XP differ with particulr
reference to events they generate.

I shall be grateful for your kind help in this regard.

regards,
Muhammad Naeem Khan
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Fri Jun 24 2005 - 09:26:56 PDT