Hello, Did you try "logparser" from MSFT to see what it does? http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.ms px http://www.microsoft.com/technet/scriptcenter/tools/logparser/lpfeatures .mspx Ashish Desai Internet Channel Security Fidelity Investments -----Original Message----- From: loganalysis-bounces+ashish.desai=fmr.com@private [mailto:loganalysis-bounces+ashish.desai=fmr.com@private] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, January 07, 2007 2:39 AM To: 'LogAnalysis' Subject: [logs] Reviewing Vista/2k3 log files from the same platform So I was looking at a 2k3 log file.. and I did it on my test Vista laptop... and I know and understand that Vista has new event IDs... so I'm cool with that.. what I didn't realize is that apparently I can't use the Vista MS Event viewer to open up 2k3/XP log files and review what's going on... that even such events as 529 have lost information. 1. Is my conclusion correct? 2. What are the gurus of log viewing doing to be able to read logs from xp,2k3,Vista and ultimately Longhorn without firing up each platform? When I'm doing a quick log file review... I just use what's native to the box. Sorry for the stupid question... but what's a better way to do this? Log Name: C:\Users\Susan.VISTATEST\AppData\Local\Temp\Temp1_LastNite_FWS_000.zip\1 -6-07 sec.evt Source: Security Date: 1/5/2007 9:18:42 PM Event ID: 529 Task Category: Logon/Logoff Level: Information Keywords: Classic,Audit Failure User: SYSTEM Computer: ROYAL Description: The description for Event ID 529 from source Security cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: abc123 3 Advapi MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ROYAL ROYAL$ PREFERRED (0x0,0x3E7) 1012 - - - The substitution string for insert index (%1) could not be found Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Security" /> <EventID Qualifiers="0">529</EventID> <Level>0</Level> <Task>2</Task> <Keywords>0x90000000000000</Keywords> <TimeCreated SystemTime="2007-01-06T05:18:42.000Z" /> <EventRecordID>5968</EventRecordID> <Channel>C:\Users\Susan.VISTATEST\AppData\Local\Temp\Temp1_LastNite_FWS_ 000.zip\1-6-07 sec.evt</Channel> <Computer>ROYAL</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data>abc123</Data> <Data> </Data> <Data>3</Data> <Data>Advapi </Data> <Data>MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data> <Data>ROYAL</Data> <Data>ROYAL$</Data> <Data>PREFERRED</Data> <Data>(0x0,0x3E7)</Data> <Data>1012</Data> <Data>-</Data> <Data>-</Data> <Data>-</Data> </EventData> </Event> _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Mon Jan 08 2007 - 09:41:55 PST