Firewall Wizards mailing list archives

Re: NT log file format?

From: sedwards () sedwards com
Date: Thu, 25 Mar 1999 15:36:31 -0800 (PST)

The formatting string (which resembles a printf format specifier) is part
of the resources of the application. Usually they are "linked" into the
executable when the application is built. Without access to the resources,
the event viewer displays something vaguely like:

        The application logged an event, but I don't know how to
        display it for you so here are the strings, go figure it
        out for yourself :)

The connection between the event viewer and the resources is via the
registry. Here is the regedit merge file I wrote for one of my
applications:

        REGEDIT4
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\aboxsvc]
        "EventMessageFile"="c:\\aboxsvc\\aboxsvc.exe"
        "TypesSupported"=dword:00000007

Since you are trying to disect the file on Unix, you obviously won't have
the resources or the registry.

Hardcoding by trial and error with making up your own format specifiers
like "Duplicate IP address %1 detected with MAC %2" sounds like the row
you're going to have to hoe :)

On Thu, 25 Mar 1999, Ryan Russell wrote:

Anyone got any pointers to C code for dissecting NT log
file formats under UNIX? Or is that pretty much an insane/inane
idea?


The hard part about NT log files is that the event ID is stored
as a number, and that number is pulled out of files on the NT
box when it's viewed.  So for example, if you install an application
that logs to one of the NT logs, it will also install the files that are
used to look up event IDs in.

The end result is that if one views the logs elsewhere, one
doesn't always get a description of what the event is, because
those files aren't on the system where the logs are being viewed.
This makes in challenging to view logs on a different NT box,
let alone a unix box.

If you're looking a limited set of events, you could make your own
map by hand.

                         Ryan


Thanks in advance,
------------------------------------------------------------------------
Steve Edwards      sedwards () sedwards com      Voice: +1-760-723-2727 PST
Newline            Pager: +1-760-740-1220           Fax: +1-760-731-3000

Current thread:

NT log file format? Marcus J. Ranum (Mar 25)
- Re: NT log file format? Paul M. Cardon (Mar 25)
- RE: NT log file format? David Bovee (Mar 26)
- <Possible follow-ups>
- Re: NT log file format? Ryan Russell (Mar 25)
  - Re: NT log file format? Joseph S D Yao (Mar 26)
  - Re: NT log file format? davi (Mar 26)
  - Re: NT log file format? sedwards (Mar 26)
- RE: NT log file format? Choi, Byoung (Mar 25)
- Re: NT log file format? Lart (Mar 26)
- Re: NT log file format? ark (Mar 26)
  - Re: NT log file format? David Gillett (Mar 26)
- RE: NT log file format? Kenneth_W_Fox (Mar 26)