Re: NT Log Files

["Dave Gillett" <davidg () genmagic com>]

On 30 Jul 99, at 12:36, Marcus J. Ranum wrote:

> > A while back there was a thread started by MJR, I believe, that included
> > discussion of NT log files and the possible ways to monitor them.  I
> > searched the archive for info, but was unable to locate the thread.
>
> Short summary:
>       I got the O'Reilly book on NT logging and read it.
>
>       It turns out that NT logs are stored with application specific
>               codings based on the DLLs that are installed on the
>               system generating the logs. This is done for
>               internationalization, so it makes sense but it's a pain.
>               The only way to "resolve" the coded logs into text reliably
>               is to do it on the machine where the logs were generated.
>               My idea had been to push the logs to someplace else and
>               then process them en masse. No dice.

  Since the log records include "source name" and "event number" fields, it's 
not aboslutely necessary to resolve these back to textual messages in order 
to store or summarize them -- and, in fact, doing so produces a whole lot of 
redundant text which (luckily) will compress fairly well.
 
>       There is a tool out there that resolves the logs into text
>               and pushes them to "loghost" via UNIX syslog calls.
>               There are a couple versions of such things floating
>               around. One is http://www.adiscon.com/EvntSLog/main.asp

  Someone has already mentioned the "dumpel" tool that comes in the resource 
kit.  AT one point, we licensed a product called "dumpevt" which claims to 
correct several deficiencies in "dumpel"; with a small suite of batch files, 
that covered us until we were able to get around to writing our own tool.
 
>       There is a syslogd for NT http://www.netal.com/SL4NT03.htm

  Version 1.1 stopped working when we installed SP5 on that server, but 
upgrading to 1.3 fixed it.


David G