Results 1 to 5 of 5
  1. #1
    2 Star Lounger
    Join Date
    Aug 2014
    Posts
    123
    Thanks
    19
    Thanked 0 Times in 0 Posts

    Making event logs unuseable

    In Microsoft's Windows 2000 Scripting guide it warns that using the copy command or other backup methods to backup the event logs will make them unuseable.
    In the Technet I read (for Windos 7, Vista etc.) that:
    wevtutil epl <LogName> <FileName.evtx>
    can be used to EXPORT event logs and
    wevtutil al <FileName.evtx> [/l:<LocaleString>]
    can be used to ARCHIVE event logs.

    I am confused because "FileName" could be interpreted to be path/file.
    If I use epl to export my machines event logs to a file in that machine will that make the event logs unusable?
    Conversely, if I use al to put my machine's event logs on a file on another machine will that make the logs unusable?
    My Windows 8.1 wevtutil /? does not show a /l option. Can someone explain what that means on windows 7?
    Lastly, is it possible all this is mute in Windows 8.1 i.e. using any option with wevtutil will NOT make my event files unusable?

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,180
    Thanks
    47
    Thanked 983 Times in 913 Posts
    The file name is for the exported data, not the log itself. You could use any name or extension.
    Once exported you can do anything to the export file, copy, rename etc.
    W8 probably works out the locale based on the local machine locale.
    The point about not copying the event logs themselves is because the log must be available for writing by Windows all the time and a copy locks the file for a short time. The "wevtutil" asks Windows to provide the information from the logs for you to use as you require.

    cheers, Paul

  3. #3
    2 Star Lounger
    Join Date
    Aug 2014
    Posts
    123
    Thanks
    19
    Thanked 0 Times in 0 Posts
    Got it about locale (need to read more critically LOL).
    Aware about copy as U point out but in 2000 & 7 once a log is copied it is made useless due to boot time bit settings to make it appear open and thus in use and unavailable if copied. Hence the need for epl & al. At least by my understanding.
    My question is can I export (epl) event logs to my machine and can I archive (al)them to another machine where they (I hope) remain useable in both cases, unlike the copy command effect.

  4. #4
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,793
    Thanks
    117
    Thanked 798 Times in 719 Posts
    This link shows how to export Windows Event logs to an Excel spreadsheet:
    http://www.ehow.com/how_7825769_expo...ogs-excel.html

    I have never done it so I don't know anything about how well it works.

    Jerry

  5. #5
    Super Moderator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    2,143
    Thanks
    101
    Thanked 579 Times in 464 Posts
    I use Nir Sofer's MyEventViewer to filter and export event logs.

    I like it because I can connect to remote PC's in work with it and ended up writing a tiny little Autohotkey frontend to save me having to remember the syntax for remote access.

    (Actually, I just love all of Nir Sofer's utilities. )
    Last edited by Rick Corbett; 2014-12-06 at 17:27.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •