Page 3 of 3 <123
Topic Options
#166842 - 2006-09-08 07:25 PM Re: Deleting Events from the .EVT file
AstaaLavista Offline
Starting to like KiXtart

Registered: 2005-08-11
Posts: 111
Loc: Gujarat, India.
Yes Sir, i tried with the new kixtart 4.53 RC1 & i failed
Top
#166843 - 2006-09-08 07:29 PM Re: Deleting Events from the .EVT file
Witto Offline
MM club member
*****

Registered: 2004-09-29
Posts: 1828
Loc: Belgium
I think Astaa said my script failed most probably because the file he has is UNICODE format. Does anyone know about a UNICODE to ANSI convertor?
I think there is WiToAnsi.vbs in Windows® Server 2003 R2 Platform SDK Full Download

Top
#166844 - 2006-09-08 08:03 PM Re: Deleting Events from the .EVT file
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK

just shell out:
Code:

shell "%comspec% /c type theFile.txt > theFileInANSI.txt"


Top
#166845 - 2006-09-08 09:40 PM Re: Deleting Events from the .EVT file
Witto Offline
MM club member
*****

Registered: 2004-09-29
Posts: 1828
Loc: Belgium
Whaaw, simple as that?
Astaa...???
Code:

If NOT @LOGONMODE
Break ON
EndIf
Dim $SO
$SO = SetOption("Explicit","On")
$SO = SetOption("NoMacrosInStrings","On")
$SO = SetOption("NoVarsInStrings","On")
$SO = SetOption("WrapAtEOL","On")

Dim $InputFile, $OutputFile, $Handle1, $Handle2, $Line
$InputFile = "file1.txt"
$OutputFile = "file2.txt"

;Open first file for read, if fails, end code
$Handle1 = FreeFileHandle()
If Open($Handle1,$InputFile,2) = 0
;Open second file for write, if fails, close first file, end code
$Handle2 = FreeFileHandle()
If Open($Handle2,$OutputFile,5) = 0
;Read line after line until error code indicates there are no lines anymore
$Line = ReadLine($Handle1)
While @ERROR = 0
;If NOT event 560 occurred, write line to second file
If NOT Split($Line,",")[5] = "560"
$SO = WriteLine($Handle2,$Line + Chr(13) + Chr(10))
EndIf
$Line = ReadLine($Handle1)
Loop
;Close files
$SO = Close($Handle1)
$SO = Close($Handle2)
Else
$SO = Close($Handle1)
? "Error opening File2"
? "Error " + @ERROR + ": " + @SERROR
EndIf
Else
? "Error opening File1"
? "Error " + @ERROR + ": " + @SERROR
EndIf


Top
#166846 - 2006-09-09 05:59 PM Re: Deleting Events from the .EVT file
AstaaLavista Offline
Starting to like KiXtart

Registered: 2005-08-11
Posts: 111
Loc: Gujarat, India.
Thanks to everybody for their help

Unfortunately, i will have to do the entire process manually. Exported info from Event Viewer does not contain the description section which means I have to check each & every event row for the description. There is some respite however. Open the evt file in the event viewer - set a FILTER in the properties tab - it will take some to display the result!

Top
#166847 - 2006-09-11 06:22 PM Re: Deleting Events from the .EVT file
AstaaLavista Offline
Starting to like KiXtart

Registered: 2005-08-11
Posts: 111
Loc: Gujarat, India.
Hey Guys, i have got some breakthrough.... if this works then the entire process can be automated.

There is a eventquery.vbs script in Windows\System32 folder which can be used for capturing specific event related information. I was able to retrieve event info on my computer, i.e. from my local eventviewer.

here is the code written in a batch file...(sorry i cud not complete in KiXtart)

CD %~dp0
cscript eventquery.vbs /v /FI "Id eq 517" /FO CSV /l Security > 517.csv
cscript eventquery.vbs /v /FI "Id eq 528" /FO CSV /l Security > 528.csv

Following code prints at the screen
Code:

SHELL 'cscript eventquery.vbs /v /FI "Id eq 517" /FO CSV /l Security'



In the event viewer there is a provision for adding an EVT file as well.
eventquery also takes a USER DEFINED LOG as an input...(i m really happy about this... )
so i created this registry value:

HKLM\System\CurrentControlSet\Services\EventLog\\File with type
REG_SZ and with the value

After doing this, I cud see an entry in Event viewer along with Application, System & Security. But unfortunately the following command still doesnt work:

cscript eventquery.vbs /l . If this works then any STANDALONE EVT file can be queried directly.
Has anybody tried the above ???

Top
#166848 - 2006-09-11 06:47 PM Re: Deleting Events from the .EVT file
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
how about:
http://www.sysinternals.com/Utilities/PsLogList.html

it can dump the contest of previously saved file... has filter/exclude switches etc...

Top
#166849 - 2006-09-11 07:03 PM Re: Deleting Events from the .EVT file
AstaaLavista Offline
Starting to like KiXtart

Registered: 2005-08-11
Posts: 111
Loc: Gujarat, India.
Dear Joel, it does not read EVT files; secondly my stupid company wont allow a freeware because of the audit....
Top
#166850 - 2006-09-11 07:16 PM Re: Deleting Events from the .EVT file
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
sorry but it does.
-l switch.

Top
#166851 - 2006-09-11 07:29 PM Re: Deleting Events from the .EVT file
AstaaLavista Offline
Starting to like KiXtart

Registered: 2005-08-11
Posts: 111
Loc: Gujarat, India.
The software crashes for an EVT file of size > 500 MB....
Top
#166852 - 2006-09-11 08:22 PM Re: Deleting Events from the .EVT file
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
k, that's better excuse
Top
#166853 - 2006-09-12 06:05 AM Re: Deleting Events from the .EVT file
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
What about the ReadEventlog() - Retrieves event from the eventlog UDF. If you can get the log into the event viewer the UDF might also be able to access it.
_________________________
There are two types of vessels, submarines and targets.

Top
#166854 - 2006-09-12 12:31 PM Re: Deleting Events from the .EVT file
AstaaLavista Offline
Starting to like KiXtart

Registered: 2005-08-11
Posts: 111
Loc: Gujarat, India.
Jens, ReadEventlog() WONT be of any help, since i m reading an imported evt file. ReadEventlog can read only the Defined types - i.e. Application, Security & System. If the event file name is different, it does not read that event file.
Top
Page 3 of 3 <123


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 507 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.067 seconds in which 0.025 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org