Compartilhar via

LogParser, event logs and Longhorn Server

  • Artigo

I am a frequent user of LogParser and when I recently started using Windows Server 2008 beta as my desktop OS I ran into a problem with it. One of the things I use LogParser for is extracting the information I need from my customers' event logs which are often quite large and usually from Windows Server 2003. So I got a surprise when I first tried to do this on Longhorn:

Logparser -i:EVT "select * from application.evt"
Task aborted.
Cannot open <from-entity>: Error opening event log "\?D:customerApplication.evt": The event log file is corrupted.
Statistics:
-----------
Elements processed: 0
Elements output: 0
Execution time: 0.11 seconds

Fortunately when I posted this problem to an internal group Neil Carpenter came back with a solution that had worked for him on Vista which he has also blogged about. This also worked on Longhorn (makes sense - similar code base / /API).

I was curious to understand the underlying reason though. A bit of debugging case some light on it. Turned out that when LogParser was calling OpenBackupEventLog it was failing with an error saying the event log was corrupt. The documentation for OpenBackupEventLog states that it will open a handle to a backup event log created by BackupEventLog. As the event log format has changed significantly in Vista and Longhorn compared to previous OSes (warranting a new file extension of 'EVTX') it is no surprise the OpenBackupEventLog has a problem with backup event logs from older versions of Windows

So, if you are working with LogParser on a Vista or Longhorn system to parse event logs from a previous version of Windows, you first need to convert the event log to EVTX format:

wevtutil export-log application.evt application.evtx /lf

LogParser will then work happily with the EVTX file as input. Just specify -i:EVT on the LogParser command line as before.

Cheers

Doug

Comments

  • Anonymous
    August 31, 2007
    PingBack from http://msdnrss.thecoderblogs.com/2007/08/31/logparser-event-logs-and-longhorn-server/

  • Anonymous
    February 01, 2010
    Is it possible to convert an .evtx file to .evt file format?

  • Anonymous
    February 01, 2010
    To the best of my knowledge no. Is there a scenario where this would be useful for you?

  • Anonymous
    February 07, 2010
    I need to parse evtx log file from XP

  • Anonymous
    June 11, 2010
    I need to do the same thing.  Our customers are sending us EVTX files from Win Svr 2008 and we are unable to view them on our ancient XP and Svr 2003 boxes.  Yep, I know, our cheap company won't spring for 2008 licenses for us and our clients won't save the files to EVT before they send them to us. Thanks

  • Anonymous
    June 23, 2010
    Unfortunately I don't think there is a way to convert EVTX to any other format if you do not have a Vista or above system.  One way to encourage your customers to provide data in a readable format would be to give them a more automated solution for data gathering. One option for doing that would be to get them to use Microsoft MPSReports: www.microsoft.com/.../details.aspx This will automatically gather lots of information about there system including event logs in EVTX, CSV and TXT formats and bundle it into a single CAB file that they can upload to you (although it could be too big to email). But in all, getting all that information up front may allow you to solve their problem quicker. Doug

  • Anonymous
    June 24, 2011
    I have a problem and I want to task schedule to make me the file. evtx to. xml but not e able to program, you have another way to make the task more automatic and not beyond to give me the file conviarta the format I want. I appreciate your knowledge

  • Anonymous
    June 26, 2011
    You can use LogParser to generate the event log output in XML (you can also save as XML from the event viewer GUI): logparser /i:EVT /o:XML "select * into test.xml from Application" This would take it directly from the Application event log and output into test.xml You can also convert an EVTX to XML like this: logparser /i:EVT /o:XML "select * into test2.xml from application.evtx" (note that when you are running logparser on Vista or above, specifying the /i:EVT switch actually means that logparser will interpret EVTX, not EVT, files because logparser uses the OS APIs to read the files). You can place these commands in a CMD/BAT file and then schedule that using the AT command, task scheduler or other sceduling tool. HTH Doug