Re: NT log file format?

[davi () nconnect net]

Ryan Russell wrote:
> > Anyone got any pointers to C code for dissecting NT log
> > file formats under UNIX? Or is that pretty much an insane/inane
> > idea?
>
> The hard part about NT log files is that the event ID is stored
> as a number, and that number is pulled out of files on the NT
> box when it's viewed.  

Don't know if this helps:

Frank Heyne (http://www.heysoft.de/index.htm) wrote several utils to
handle NT event logs (and more). For example, Elwiz does snapshots of
logs and exports them to a tab-delimited file:

No.   Comp     Source   Type         Event_ID   TimeGenerated    
TimeWritten       SID         Account
1626  THISTLE  Perflib  Error        1008       2/13/99 23:16:00 
2/13/99 23:16:00                           4     2
1627  THISTLE  DrWatson Information  4097       2/13/99 23:16:05 
2/13/99 23:16:05                           9179  11
1629  THISTLE  Winlogon Information  1002       2/14/99 00:41:33 
2/14/99 00:41:33  S-x-x-x-x-x S-x-x-x-x-x  0     1

A service called EventWatcher can also be installed to notify Elwiz of
live events, including remote machines.
The event ID is not always there -- time stamp is often substituted.

Elwiz documentation:
<doc>
To watch the Security log with Elwiz, you must meet some conditions.
They depend on the version of the file
%systemroot%\system32\eventlog.dll. If this file is from 1997 or
earlier, all members of the Administrators group have access to the
Security log and may save and clean it, regardless of assigned
privileges. If the file eventlog.dll is from 1998 or later, only
accounts with the privilege "Manage auditing and security log" do have
access to the Security log, regardless of their group membership.

Elwiz will fail to save and clean logs if your account does not have
"Change" permissions for the three files
%systemroot%\system32\config\*.evt, too!

The EventWatcher service on every machine must run with an account which
meets the right conditions, otherwise the communication will fail! 
</doc>