Hello,
I am looking for a good quality tool to use for parsing Windows Event logs. I have used eventlogxp, but I am wondering if there is anything better? I have also used logparser, but I am looking for something along the lines of a Splunk etc. From what I have been told Splunk can't effectivly or correctly parse EVT files from an external system (not local). I am looking for the ability to search in the EVT logs, not just parsing them.
Just looking for user experince.
Thanks
Was there something you couldn't do with Log Parser? It's very flexible and quite capable.
Cheers!
farmerdude
In my personal opinion (again my personal opinion) I don't like log parser for looking at logs from a 30,000 foot view. I do like it when I am looking for specific events etc. I tend to be able to see a bigger picture when various events are layed out infront of me. Again this my personal preference.
I have had success with Event Log Explorer. Had to do some log analysis last month and create PDF's for review and it worked well.
http//
There are tools on the DVD with WFA 2/e, as well as more updated versions in the file section of the Win4n6 Yahoo group, that I use for this. I use evtparse.pl to run through the EVT file on a binary basis and extract the records in various formats, including TLN format for inclusion in a timeline. I use evtrpt.pl to give me a high-level overview of what's in the EVT file, with respect to the date range of all records, as well as the frequency of records based on ID and source.
"I am looking for the ability to search in the EVT logs, not just parsing them. "
My reply was based upon this - searching EVT files. LogParser is fast, flexible, and capable of being utilized to search EVT files. I've found it to do everything I want it to do. If you had (have) a specific question on a search it may be most beneficial if you post it (so folks could perhaps better offer assistance).
Cheers!
farmerdude
The Perl scripts I mentioned allow EVT files to be searched without having to know or understand SQL statements. For example, one way to search for a specific event ID (ie, 560) would be to do the following
evtparse.pl secevent.evt | find "560"
Another would be to redirect the output to a file, and search it. Yet another would be to use the SpreadsheetWriteExcel module to send the info to a spreadsheet for searching, or the DBI modules for doing the same with a database.
Don't fit your work to the tool…fit your tool to the work you need to do.
I have used the scripts in Encase or Log Parser to dump all of the data into CSV format. Then I can lay it all out and view it by importing it into the database of my choice.
I've been using Harlan's WFA Perl scripts that he mentions above with great success. I typically point the output to a spreadsheet and organize and search the results from there.
Thanks again for your contributions Harlan.
crosser,
Thanks.