|
|
|||||||
Hi, I m back with a query . From KiXtart, is it possible to delete an event from the event file(.evt)? If yes, please let me know how? |
||||||||
|
|
|||||||
is it this you're looking for? Code:
|
||||||||
|
|
|||||||
Quote: He's talking about a single event, not the entire log. |
||||||||
|
|
|||||||
This deletes the entire event log which I dont want i actually want to delete only some specific Event IDs. |
||||||||
|
|
|||||||
Oh sorry. missed that. |
||||||||
|
|
|||||||
Not that I am aware of. And that is a good thing. You don't want users to be able to delete selective events, there would be way too much room for malicious intent. What's the purpose of deleting those single events? |
||||||||
|
|
|||||||
I m currently entrusted with the responsibility of checking SECURITY event log for any malicious activity. For e.g. Event ID 560 comes under the Failure Security log, but it is an utter useless thing. The EVT file for one day has a size of around 500 MB. Imagine my plight; so i want to automate this process. |
||||||||
|
|
|||||||
Then why do you not see Event IDs 560 and 562 appear many times in the security event log whether this MSKB article provides some relief: |
||||||||
|
|
|||||||
Use eventcomb to gather only the info you want. |
||||||||
|
|
|||||||
I wish life wud have been so easy. Just as moderator of one forum is not allowed to modify the other forum, i m not allowed to access the Domain Controller. I can get only the EVT file. I guess i will have to convert it into excel or csv (every new file after 16000 rows) to solve this problem. Thanks Les for ur help; but EventComb wont read an EVT file. |
||||||||
|
|
|||||||
If you say so but I use it to scour all my DCs event logs and AFAIK they are secevent.evt files. |
||||||||
|
|
|||||||
Account Lockout and Management Tools http://www.microsoft.com/downloads/detai...;displaylang=en Includes EventCombMT.exe Gathers specific events from event logs of several different machines to one central location. |
||||||||
|
|
|||||||
Quote: Maybe you can convince the person exporting the event log to a file to export it to csv (tab or comma delimited). The event logs can easily be exported like this because it is a build in option when saving the event log to a file. Maybe this helps. Did not try it but it looks like a command line app to read .evt files. read, write, backup, enumerate, count, clear, and display an event log |
||||||||
|
|
|||||||
Quote: Converting to a CSV file is not an issue. Actually the person was providing me with the CSV file; but the CSV file didnt contain the entire data. My EVT file contains more 10 million rows which is not possible to save as a CSV file. I tried to use the FILTER facility available with the event viewer, but it does not provide the NOT facility; i.e. I cant check what are the other events apart from event ID 560. I have also checked the link, it is the same one mentioned earlier. |
||||||||
|
|
|||||||
If you open the CSV with Excel, you can choose NOT to display event ID 560 (first rename the CSV-file to something with TXT extension and do a "File --> Open" so you can choose the column separator) |
||||||||
|
|
|||||||
Friend, the problem is CSV can't hold 10 million rows. Column containing event ID 560 will ALSO contain other IDs as well... |
||||||||
|
|
|||||||
Reading the file line per line and writing a new file would also be no option? I would think you could split a line and find the event on the same place in the array. If it is not 560, write the line to a new file. Just a thought. |
||||||||
|
|
|||||||
Maybe you can convince the person exporting the event log to a file to export it more frequently before it becomes too large to import to Excel. Still, it might be best to fix the root cause of all those entries so they don't fill the log in the first place. |
||||||||
|
|
|||||||
Today is my bad day Tried copying the contents to another file... but i m getting a weird error: "Error (317 / 13D) while retrieving error information for FFFFFFFC". The sole link in google help points to some disussion in which Joel is involved. |
||||||||
|
|
|||||||
Following is the code: (File1.txt exists !) Code:
|
||||||||
|
|
|||||||
Just to add: i m using KiXtart 4.52 ! |
||||||||
|
|
|||||||
Is the file comma delilited or tab delimited? I thought you were looking for event 560? I think the EventID is on the sixth position. I think splitting the lines would give a more certain result. Code:
|
||||||||
|
|
|||||||
Code:
you can't do this! both handles are the same as you don't open the first file before querying the second handle. |
||||||||
|
|
|||||||
What about: Code:
|
||||||||
|
|
|||||||
Quote: The file is tab delimited I m actually looking for each ID individually. When the file size is reduced, it becomes easier to log. Splitting the lines also didnt help. actually the script is not able to read the input file; may be it because of UNICODE issue. (I used event viewer to generate a sample text file) |
||||||||
|
|
|||||||
so, did you fix your script or are you still using the bad syntax?? |
||||||||
|
|
|||||||
i had used the code written by witto! |
||||||||
|
|
|||||||
So what is wrong with using these tools from Microsoft to extract ONLY the events you want? Then there is no size issues, and there is no scrolling through a list to find them. |
||||||||
|
|
|||||||
Dear NTDOC, Microsoft tools read the event viewer & NOT the .evt file.I have been provided ONLY the .EVT file. Currently, my job is to check for specific EVENT IDs; for that i need to scan the ENTIRE .evt file. The .evt file contains around 10 million rows (around 700 MB) making my job really difficult. I tried to extract the event info to a text file, but it was of no help; i didnt get any correct results. It's already around 1 AM in India, need to go home.... |
||||||||
|
|
|||||||
was just thinking... 10 million rows... have you tried reading with the 4.53 RC-1? there was a fix for large files in one of the builds, but can't remember which one. |
||||||||
|
|
|||||||
Well, I am sorry to hear my code did not work for you. I tried it on a very small comma delimited file (csv) that I extracted from my Event Viewer @home. I used KiX 4.53 RC-1. [Edit] I see I forgot to paste my declarations in my code, so I changed it. So check the code I posted earlier. Code:
|
||||||||
|
|
|||||||
Well maybe Howard B will step in here and provide you some VB Dictionary code or RegEx code that might be able to do the trick. paging HB.... |
||||||||
|
|
|||||||
doc, that's blashemy |
||||||||
|
|
|||||||
Maybe so... but we all know that as much as we love KiX there are still a couple things that other beast is better at until Ruud updates KiX to handle it. |
||||||||
|
|
|||||||
I saved an application log of about 2250 lines to CSV, and it is 605KB. If your file is 10 million rows, you have a log of about 2.5GB? Or did I make somewhere a mistake? |
||||||||
|
|
|||||||
doc, like said, there is an issue with kixtart handling large files. he should try with 4.53 RC-1 if it solves his issue. |
||||||||
|
|
|||||||
You guys are off on a tangent. He has an .EVT file that is too big to export to Excel. Since when can KiX read an .EVT file? Besides fixing what causes excessive events to write to the log, the best solution I can see is to export more frequently before they get too large to export. |
||||||||
|
|
|||||||
AstaaLavista, It was exported to txt format (tab delimited) like you said in post #167321, wasn't it? |
||||||||
|
|
|||||||
hmmm, sorry guys for the that mistake. Actually it is around 1-3 million rows. i was really sleepy & so added the EXTRA zero... yeah Witto , i tried with the formats - txt format (tab delimited) but of no help... Les: Actually huge logs are being generated due to some nonsense things done by some folks. the net guys are not ready to make any corresponding changes to their policy, they have simply ask me to bear with it... currently, i m doing the process manually... once our audit is complete (5 days), i will definitely write an application that will help me & others to read an .EVT file. |
||||||||
|
|
|||||||
astaalavista, so did you or did you not try with the new kixtart RC?!?!?!?!?!?!?!?! |
||||||||
|
|
|||||||
Yes Sir, i tried with the new kixtart 4.53 RC1 & i failed |
||||||||
|
|
|||||||
I think Astaa said my script failed most probably because the file he has is UNICODE format. Does anyone know about a UNICODE to ANSI convertor? I think there is WiToAnsi.vbs in Windows® Server 2003 R2 Platform SDK Full Download |
||||||||
|
|
|||||||
just shell out: Code:
|
||||||||
|
|
|||||||
Whaaw, simple as that? Astaa...??? Code:
|
||||||||
|
|
|||||||
Thanks to everybody for their help Unfortunately, i will have to do the entire process manually. Exported info from Event Viewer does not contain the description section which means I have to check each & every event row for the description. There is some respite however. Open the evt file in the event viewer - set a FILTER in the properties tab - it will take some to display the result! |
||||||||
|
|
|||||||
Hey Guys, i have got some breakthrough.... if this works then the entire process can be automated. There is a eventquery.vbs script in Windows\System32 folder which can be used for capturing specific event related information. I was able to retrieve event info on my computer, i.e. from my local eventviewer. here is the code written in a batch file...(sorry i cud not complete in KiXtart) CD %~dp0 cscript eventquery.vbs /v /FI "Id eq 517" /FO CSV /l Security > 517.csv cscript eventquery.vbs /v /FI "Id eq 528" /FO CSV /l Security > 528.csv Following code prints at the screen Code:
In the event viewer there is a provision for adding an EVT file as well. eventquery also takes a USER DEFINED LOG as an input...(i m really happy about this... ) so i created this registry value: HKLM\System\CurrentControlSet\Services\EventLog\ REG_SZ and with the value After doing this, I cud see an entry in Event viewer along with Application, System & Security. But unfortunately the following command still doesnt work: cscript eventquery.vbs /l Has anybody tried the above ??? |
||||||||
|
|
|||||||
how about: http://www.sysinternals.com/Utilities/PsLogList.html it can dump the contest of previously saved file... has filter/exclude switches etc... |
||||||||
|
|
|||||||
Dear Joel, it does not read EVT files; secondly my stupid company wont allow a freeware because of the audit.... |
||||||||
|
|
|||||||
sorry but it does. -l switch. |
||||||||
|
|
|||||||
The software crashes for an EVT file of size > 500 MB.... |
||||||||
|
|
|||||||
k, that's better excuse |
||||||||
|
|
|||||||
What about the ReadEventlog() - Retrieves event from the eventlog UDF. If you can get the log into the event viewer the UDF might also be able to access it. |
||||||||
|
|
|||||||
Jens, ReadEventlog() WONT be of any help, since i m reading an imported evt file. ReadEventlog can read only the Defined types - i.e. Application, Security & System. If the event file name is different, it does not read that event file. |