Jaa


LogParser, Event Logs, and Vista

LogParser is one of my absolute favorite tools, particularly for doing incident response.  I use it a lot to extract and order data into a timeline (hmmm...that's a good topic for a future post).

When I moved to Vista, I found one annoyance, though.  The log file format in Vista has changed from *.evt to *.evtx -- the new log file format is XML based and all-round better than the old-school evt files.  Unfortunately, this causes a problem when using LogParser on Vista to parse event logs from down-level machines:

C:\priv>logparser "SELECT * FROM Application.evt"
Task aborted.
Cannot open <from-entity>: Error opening event log "\\?\C:\priv\Application.evt": The event log
  file is corrupted.

Statistics:
-----------
Elements processed: 0
Elements output:    0
Execution time:     0.21 seconds

The only workaround to this is to convert the logfile to the new evtx format prior to parsing it.  You can do this in the event log viewer GUI by doing a Save As... but I find it easier to do this at the command prompt:

wevtutil epl application.evt application.evtx /lf:true

The 'epl' command exports the logfile and the /lf:true specifies that this is an event log file rather than the name of an event log (Application, System, etc).

Comments