[logs] Looking at windows logs
Pauls, Nicole
npauls at trigeo.com
Thu May 29 11:49:34 PDT 2008
If you want to open an .evt for just plain viewing, you should be able to boot another Windows system, open Event Viewer, and right click -> "Open Log File..." You need to know what type of log file it is (Application, System, Security, etc) or Windows will complain.
If you wanted to REPLACE the event log with your older event log for some reason (say, to extract the data to a log management tool that can only access your running Security/System/Application event logs), you should be able to:
1. Change the current Event Log settings to match size of your new .evt file (in event viewer -> select log -> properties)
2. Mark the EventLog service as disabled and reboot
3. After reboot, replace the target .evt in C:\windows\system32\config
4. Mark EventLog service as automatic and reboot
After you reboot, you can just use the Event Viewer to view the file "as if" it was your normal .evt. New events will also get appended to the replacement log, though, so if you have auditing enabled and it's a Security Log, you will find the "old" data along with the "new" data. You would need to tell your log management tool to start from the head of the log in order to pull the data in (rather than the tail, which would only be new data).
HTH
--
nicole pauls, cissp-issap,issmp
director, product management
www.trigeo.com<http://www.trigeo.com>
From: loganalysis-bounces at loganalysis.org [mailto:loganalysis-bounces at loganalysis.org] On Behalf Of James B Horwath
Sent: Thursday, May 29, 2008 5:43 AM
To: loganalysis at loganalysis.org; loganalysis-bounces at loganalysis.org
Subject: [logs] Looking at windows logs
I hope somebody can help me. I have a windows EVT file from a system that I want to view on another computer (which is a windows XP laptop). I booted the laptop with Linux (backtrack) and tried to remove the old security.evt file and replace it with mine. Even with the windows drive mounted with "rw" I could manipulate any of the files or permissions. I kept receiving a message "read-only" media.
I thought maybe I could use the eventquery.vbs file from the command line using the /L switch to dump the logs, this did not work. It appears only the windows categories are readable. I have a licensed copy of Adiscon eventviewer and a copy of lasso.
Can anyone offer any suggestions on how to extract this data?
Thanks in advance.
Jim
________________________________
This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.loganalysis.org/pipermail/loganalysis/attachments/20080529/4a68f2f4/attachment-0001.html
More information about the LogAnalysis
mailing list