| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-04 02:40 PM |
|
Deleting Events from the .EVT file
|
Hi,
I m back with a query
. From KiXtart, is it possible to delete an event from the event file(.evt)? If yes, please let me know how?
| Björn |
| (Korg Regular) |
| 2006-09-04 02:59 PM |
Re: Deleting Events from the .EVT file
|
is it this you're looking for?
Code:
ClearEventLog( )
Action: Clears up a Windows NT eventlog.
Syntax: CLEAREVENTLOG ("eventlog")
Parameter: Eventlog
String indicating the eventlog to clear. By default, Windows NT supports three eventlogs:
"Application", "Security" and "System". Optionally, the string can include the name of a remote system
on which to clear the log.
Returns:
0 Eventlog cleared
>0 Errorcode
See Also: BackupEventLog( ), LogEvent( )
Examples:
$rc=ClearEventLog("Application")
$rc=ClearEventLog("\\PDC\Application")
$rc=ClearEventLog("System")
| Les |
| (KiX Master) |
| 2006-09-04 03:27 PM |
|
Re: Deleting Events from the .EVT file
|
Quote:
is it possible to delete an event
He's talking about a single event, not the entire log.
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-04 03:28 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
This deletes the entire event log which I dont want
i actually want to delete only some specific Event IDs.
| Björn |
| (Korg Regular) |
| 2006-09-04 03:33 PM |
|
Re: Deleting Events from the .EVT file
|
Oh sorry. missed that.
| Sealeopard |
| (KiX Master) |
| 2006-09-04 05:17 PM |
|
|
Re: Deleting Events from the .EVT file
|
Not that I am aware of. And that is a good thing. You don't want users to be able to delete selective events, there would be way too much room for malicious intent. What's the purpose of deleting those single events?
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-04 05:37 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
I m currently entrusted with the responsibility of checking SECURITY event log for any malicious activity.
For e.g. Event ID 560 comes under the Failure Security log, but it is an utter useless thing. The EVT file for one day has a size of around 500 MB. Imagine my plight; so i want to automate this process.
| Sealeopard |
| (KiX Master) |
| 2006-09-04 06:04 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
Then why do you not see Event IDs 560 and 562 appear many times in the security event log whether this MSKB article provides some relief:
| Les |
| (KiX Master) |
| 2006-09-04 06:12 PM |
|
Re: Deleting Events from the .EVT file
|
Use eventcomb to gather only the info you want.
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-04 07:07 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
I wish life wud have been so easy. Just as moderator of one forum is not allowed to modify the other forum, i m not allowed to access the Domain Controller. I can get only the EVT file. I guess i will have to convert it into excel or csv (every new file after 16000 rows) to solve this problem.
Thanks Les for ur help; but EventComb wont read an EVT file.
| Les |
| (KiX Master) |
| 2006-09-04 10:26 PM |
|
Re: Deleting Events from the .EVT file
|
If you say so but I use it to scour all my DCs event logs and AFAIK they are secevent.evt files.
NTDOC
|
| (KiX Master) |
| 2006-09-04 11:19 PM |
|
|
Re: Deleting Events from the .EVT file
|
Account Lockout and Management Tools
http://www.microsoft.com/downloads/detai...;displaylang=en
Includes EventCombMT.exe Gathers specific events from event logs of several different machines to one central location.
| Mart |
| (KiX Supporter) |
| 2006-09-05 12:42 AM |
|
|
Re: Deleting Events from the .EVT file
|
Quote:
....
I can get only the EVT file. I guess i will have to convert it into excel or csv (every new file after 16000 rows) to solve this problem.
....
Maybe you can convince the person exporting the event log to a file to export it to csv (tab or comma delimited). The event logs can easily be exported like this because it is a build in option when saving the event log to a file.
Maybe this helps. Did not try it but it looks like a command line app to read .evt files.
read, write, backup, enumerate, count, clear, and display an event log
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-06 05:41 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
Quote:
Maybe you can convince the person exporting the event log to a file to export it to csv (tab or comma delimited). The event logs can easily be exported like this because it is a build in option when saving the event log to a file.
Converting to a CSV file is not an issue. Actually the person was providing me with the CSV file; but the CSV file didnt contain the entire data. My EVT file contains more 10 million rows which is not possible to save as a CSV file. I tried to use the FILTER facility available with the event viewer, but it does not provide the NOT facility; i.e. I cant check what are the other events apart from event ID 560.
I have also checked the link, it is the same one mentioned earlier.
| Witto |
| (MM club member) |
| 2006-09-06 06:02 PM |
|
|
Re: Deleting Events from the .EVT file
|
If you open the CSV with Excel, you can choose NOT to display event ID 560
(first rename the CSV-file to something with TXT extension and do a "File --> Open" so you can choose the column separator)
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-06 06:06 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
Friend, the problem is CSV can't hold 10 million rows.
Column containing event ID 560 will ALSO contain other IDs as well...
| Witto |
| (MM club member) |
| 2006-09-06 06:27 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
Reading the file line per line and writing a new file would also be no option? I would think you could split a line and find the event on the same place in the array. If it is not 560, write the line to a new file.
Just a thought.
| Les |
| (KiX Master) |
| 2006-09-06 07:15 PM |
|
Re: Deleting Events from the .EVT file
|
Maybe you can convince the person exporting the event log to a file to export it more frequently before it becomes too large to import to Excel.
Still, it might be best to fix the root cause of all those entries so they don't fill the log in the first place.
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-06 07:22 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
Today is my bad day
Tried copying the contents to another file... but i m getting a weird error:
"Error (317 / 13D) while retrieving error information for FFFFFFFC".
The sole link in google help points to some disussion in which Joel is involved.
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-06 07:42 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
Following is the code: (File1.txt exists !)
Code:
BREAK ON
DEBUG ON
$InputFile = "file1.txt"
$OutputFile = "file2.txt"
$counter = 0
$Handle1 = FreeFileHandle()
$Handle2 = FreeFileHandle()
If Open($Handle2, $OutputFile,5) = 0
? "Counter value: " + $counter
Else
beep
Endif
If Open($Handle1, $InputFile,2) = 0
$x = ReadLine($Handle1)
While @ERROR = 0
$counter = $counter + 1
? "Line read: [" + $x + "]"
$y = INSTR($x, "1102")
If ($y!=0)
$z = WriteLine($Handle2,$x)
EndIf
$x = ReadLine($Handle1)
Loop
? $counter
? @SERROR
$rc=Close ($Handle1)
Else
? @SERROR
Beep
EndIf
$rc=Close($Handle2)
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-06 07:52 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
Just to add: i m using KiXtart 4.52 !
| Witto |
| (MM club member) |
| 2006-09-06 09:03 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
Is the file comma delilited or tab delimited?
I thought you were looking for event 560?
I think the EventID is on the sixth position.
I think splitting the lines would give a more certain result.
Code:
If Not Split($x,",")[5] = "560"
;If Not Split($x,Chr(9))[5] = "560" ;if TAB delimited
;Write stuff $x to file2.txt
EndIf
|
Lonkero
|
| (KiX Master Guru) |
| 2006-09-06 09:08 PM |
|
Re: Deleting Events from the .EVT file
|
Code:
$Handle1 = FreeFileHandle()
$Handle2 = FreeFileHandle()
you can't do this!
both handles are the same as you don't open the first file before querying the second handle.
| Witto |
| (MM club member) |
| 2006-09-06 11:13 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
What about:
Code:
If NOT @LOGONMODE
Break ON
EndIf
Dim $SO
$SO = SetOption("Explicit","On")
$SO = SetOption("NoMacrosInStrings","On")
$SO = SetOption("NoVarsInStrings","On")
$SO = SetOption("WrapAtEOL","On")
Dim $InputFile, $OutputFile, $Handle1, $Handle2, $Line
$InputFile = "file1.txt"
$OutputFile = "file2.txt"
;Open first file for read, if fails, end code
$Handle1 = FreeFileHandle()
If Open($Handle1,$InputFile,2) = 0
;Open second file for write, if fails, close first file, end code
$Handle2 = FreeFileHandle()
If Open($Handle2,$OutputFile,5) = 0
;Read line after line until error code indicates there are no lines anymore
$Line = ReadLine($Handle1)
While @ERROR = 0
;If NOT event 560 occurred, write line to second file
If NOT Split($Line,",")[5] = "560"
$SO = WriteLine($Handle2,$Line + Chr(13) + Chr(10))
EndIf
$Line = ReadLine($Handle1)
Loop
;Close files
$SO = Close($Handle1)
$SO = Close($Handle2)
Else
$SO = Close($Handle1)
EndIf
EndIf
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-07 07:40 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
Quote:
Is the file comma delilited or tab delimited?
I thought you were looking for event 560?
I think the EventID is on the sixth position.
I think splitting the lines would give a more certain result.
The file is tab delimited
I m actually looking for each ID individually. When the file size is reduced, it becomes easier to log.
Splitting the lines also didnt help.
actually the script is not able to read the input file; may be it because of UNICODE issue. (I used event viewer to generate a sample text file)
|
Lonkero
|
| (KiX Master Guru) |
| 2006-09-07 07:45 PM |
|
Re: Deleting Events from the .EVT file
|
so, did you fix your script or are you still using the bad syntax??
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-07 07:49 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
i had used the code written by witto!
|
NTDOC
|
| (KiX Master) |
| 2006-09-07 09:11 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
So what is wrong with using these tools from Microsoft to extract ONLY the events you want? Then there is no size issues, and there is no scrolling through a list to find them.
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-07 09:20 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
Dear NTDOC, Microsoft tools read the event viewer & NOT the .evt file.I have been provided ONLY the .EVT file. Currently, my job is to check for specific EVENT IDs; for that i need to scan the ENTIRE .evt file.
The .evt file contains around 10 million rows (around 700 MB) making my job really difficult. I tried to extract the event info to a text file, but it was of no help; i didnt get any correct results.
It's already around 1 AM in India, need to go home....
|
Lonkero
|
| (KiX Master Guru) |
| 2006-09-07 09:46 PM |
|
Re: Deleting Events from the .EVT file
|
was just thinking...
10 million rows...
have you tried reading with the 4.53 RC-1?
there was a fix for large files in one of the builds, but can't remember which one.
| Witto |
| (MM club member) |
| 2006-09-07 10:27 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
Well, I am sorry to hear my code did not work for you. I tried it on a very small comma delimited file (csv) that I extracted from my Event Viewer @home. I used KiX 4.53 RC-1.
[Edit]
I see I forgot to paste my declarations in my code, so I changed it.
So check the code I posted earlier.
Code:
Dim $InputFile, $OutputFile, $Handle1, $Handle2, $Line
$InputFile = "file1.txt"
$OutputFile = "file2.txt"
|
NTDOC
|
| (KiX Master) |
| 2006-09-08 12:03 AM |
|
|
|
Re: Deleting Events from the .EVT file
|
Well maybe Howard B will step in here and provide you some VB Dictionary code or RegEx code that might be able to do the trick.
paging HB....
|
Lonkero
|
| (KiX Master Guru) |
| 2006-09-08 08:33 AM |
|
Re: Deleting Events from the .EVT file
|
doc, that's blashemy
|
NTDOC
|
| (KiX Master) |
| 2006-09-08 11:32 AM |
|
|
|
Re: Deleting Events from the .EVT file
|
Maybe so... but we all know that as much as we love KiX there are still a couple things that other beast is better at until Ruud updates KiX to handle it.
| Witto |
| (MM club member) |
| 2006-09-08 11:46 AM |
|
|
|
Re: Deleting Events from the .EVT file
|
I saved an application log of about 2250 lines to CSV, and it is 605KB.
If your file is 10 million rows, you have a log of about 2.5GB?
Or did I make somewhere a mistake?
|
Lonkero
|
| (KiX Master Guru) |
| 2006-09-08 12:18 PM |
|
Re: Deleting Events from the .EVT file
|
doc, like said, there is an issue with kixtart handling large files.
he should try with 4.53 RC-1 if it solves his issue.
| Les |
| (KiX Master) |
| 2006-09-08 02:50 PM |
|
Re: Deleting Events from the .EVT file
|
You guys are off on a tangent. He has an .EVT file that is too big to export to Excel. Since when can KiX read an .EVT file?
Besides fixing what causes excessive events to write to the log, the best solution I can see is to export more frequently before they get too large to export.
| Witto |
| (MM club member) |
| 2006-09-08 03:26 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
AstaaLavista,
It was exported to txt format (tab delimited) like you said in post #167321, wasn't it?
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-08 06:49 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
hmmm, sorry guys for the that mistake. Actually it is around 1-3 million rows. i was really sleepy & so added the EXTRA zero...
yeah Witto , i tried with the formats - txt format (tab delimited) but of no help...
Les: Actually huge logs are being generated due to some nonsense things done by some folks. the net guys are not ready to make any corresponding changes to their policy, they have simply ask me to bear with it...
currently, i m doing the process manually... once our audit is complete (5 days), i will definitely write an application that will help me & others to read an .EVT file.
|
Lonkero
|
| (KiX Master Guru) |
| 2006-09-08 06:57 PM |
|
Re: Deleting Events from the .EVT file
|
astaalavista, so did you or did you not try with the new kixtart RC?!?!?!?!?!?!?!?!
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-08 07:25 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
Yes Sir, i tried with the new kixtart 4.53 RC1 & i failed
| Witto |
| (MM club member) |
| 2006-09-08 07:29 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
I think Astaa said my script failed most probably because the file he has is UNICODE format. Does anyone know about a UNICODE to ANSI convertor?
I think there is WiToAnsi.vbs in Windows® Server 2003 R2 Platform SDK Full Download
|
Lonkero
|
| (KiX Master Guru) |
| 2006-09-08 08:03 PM |
|
Re: Deleting Events from the .EVT file
|
just shell out:
Code:
shell "%comspec% /c type theFile.txt > theFileInANSI.txt"
| Witto |
| (MM club member) |
| 2006-09-08 09:40 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
Whaaw, simple as that?
Astaa...???
Code:
If NOT @LOGONMODE
Break ON
EndIf
Dim $SO
$SO = SetOption("Explicit","On")
$SO = SetOption("NoMacrosInStrings","On")
$SO = SetOption("NoVarsInStrings","On")
$SO = SetOption("WrapAtEOL","On")
Dim $InputFile, $OutputFile, $Handle1, $Handle2, $Line
$InputFile = "file1.txt"
$OutputFile = "file2.txt"
;Open first file for read, if fails, end code
$Handle1 = FreeFileHandle()
If Open($Handle1,$InputFile,2) = 0
;Open second file for write, if fails, close first file, end code
$Handle2 = FreeFileHandle()
If Open($Handle2,$OutputFile,5) = 0
;Read line after line until error code indicates there are no lines anymore
$Line = ReadLine($Handle1)
While @ERROR = 0
;If NOT event 560 occurred, write line to second file
If NOT Split($Line,",")[5] = "560"
$SO = WriteLine($Handle2,$Line + Chr(13) + Chr(10))
EndIf
$Line = ReadLine($Handle1)
Loop
;Close files
$SO = Close($Handle1)
$SO = Close($Handle2)
Else
$SO = Close($Handle1)
? "Error opening File2"
? "Error " + @ERROR + ": " + @SERROR
EndIf
Else
? "Error opening File1"
? "Error " + @ERROR + ": " + @SERROR
EndIf
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-09 05:59 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
Thanks to everybody for their help
Unfortunately, i will have to do the entire process manually. Exported info from Event Viewer does not contain the description section
which means I have to check each & every event row for the description. There is some respite however. Open the evt file in the event viewer - set a FILTER in the properties tab - it will take some to display the result!
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-11 06:22 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
Hey Guys, i have got some breakthrough.... if this works then the entire process can be automated.
There is a eventquery.vbs script in Windows\System32 folder which can be used for capturing specific event related information. I was able to retrieve event info on my computer, i.e. from my local eventviewer.
here is the code written in a batch file...(sorry i cud not complete in KiXtart)
CD %~dp0
cscript eventquery.vbs /v /FI "Id eq 517" /FO CSV /l Security > 517.csv
cscript eventquery.vbs /v /FI "Id eq 528" /FO CSV /l Security > 528.csv
Following code prints at the screen
Code:
SHELL 'cscript eventquery.vbs /v /FI "Id eq 517" /FO CSV /l Security'
In the event viewer there is a provision for adding an EVT file as well.
eventquery also takes a USER DEFINED LOG as an input...(i m really happy about this...
)so i created this registry value:
HKLM\System\CurrentControlSet\Services\EventLog\
REG_SZ and with the value
After doing this, I cud see an entry in Event viewer along with Application, System & Security. But unfortunately the following command still doesnt work:
cscript eventquery.vbs /l
Has anybody tried the above ???
|
Lonkero
|
| (KiX Master Guru) |
| 2006-09-11 06:47 PM |
|
Re: Deleting Events from the .EVT file
|
how about:
http://www.sysinternals.com/Utilities/PsLogList.html
it can dump the contest of previously saved file... has filter/exclude switches etc...
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-11 07:03 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
Dear Joel, it does not read EVT files; secondly my stupid company wont allow a freeware because of the audit....
|
Lonkero
|
| (KiX Master Guru) |
| 2006-09-11 07:16 PM |
|
Re: Deleting Events from the .EVT file
|
sorry but it does.
-l switch.
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-11 07:29 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
The software crashes for an EVT file of size > 500 MB....
|
Lonkero
|
| (KiX Master Guru) |
| 2006-09-11 08:22 PM |
|
Re: Deleting Events from the .EVT file
|
k, that's better excuse
| Sealeopard |
| (KiX Master) |
| 2006-09-12 06:05 AM |
|
|
|
Re: Deleting Events from the .EVT file
|
What about the ReadEventlog() - Retrieves event from the eventlog UDF. If you can get the log into the event viewer the UDF might also be able to access it.
| AstaaLavista |
| (Starting to like KiXtart) |
| 2006-09-12 12:31 PM |
|
|
|
Re: Deleting Events from the .EVT file
|
Jens, ReadEventlog() WONT be of any help, since i m reading an imported evt file. ReadEventlog can read only the Defined types - i.e. Application, Security & System. If the event file name is different, it does not read that event file.