SomarSoft has a free command-line utility called DumpEvt (short for "Dump Events"), which an administrator can use to dump events from Windows event logs. Microsoft has a similar tool called DUMPEL, but DumpEvt is a little more powerful and flexible. If you have an existing data mining tool that you want to put to use on crunching information from your system logs, this is a fast and relatively painless way to pull that information out in a common format (.CSV).
DumpEvt comes in a single .ZIP file and you can unpack it into any folder. When run from the command line, it typically needs the following two parameters:
/logfile=<type>: Selects which log file to dump. The program uses the following abbreviations for each log type: app (Applications), sys (System), sec (Security), dir (Directory Services), dns (DNS) and rpl (File Replication). The last three are only available on servers where such logs are kept.
/outfile=<path>: Provides the path and filename where the data will be dumped. If an existing file is found, the data will be appended, not overwritten.
The output file generated by DumpEvt is always in CSV format, which can then be imported into a database or spreadsheet application for further sorting.
Here are some other useful command-line options for the program:
/computer=<computername>: Dump logfiles for another computer, specified either by machine name or IP address. You must have administrative privileges on the machine in question, under your current login, to do this. This is useful if you want to quickly dump out logs from a server where you have a valid login, but where you don't have console access.
/backup: Backs up the event log to the file in /outfile. This creates a binary dump of the logfile, not a CSV. Writing to an existing backup file will overwrite it, not append to it.
/all: Dump all event log records. By default the program only dumps events logged since the last run of DumpEvt, on a per-machine basis. Information about when the last dump was run is kept on the machine where DumpEvt was run, not on the machine where logs were extracted. By default, the last update information is kept in the Registry key HKEY_CURRENT_USER\SOFTWARE\Somarsoft\DumpEvt.
DumpEvt also uses a pre-generated .INI file to handle some other program options that don't tend to change as often. You can find a complete rundown of the .INI file options in the program's documentation, but here are the most important ones:
- DumpData=[none|char|hex]
This option controls whether or not DumpEvt exports the event data along with the basic event information. By default this is set to none because including the event data can cause the log dump to increase exponentially in size. hex converts the data into a hexadecimal dump; char dumps out everything as ASCII except for characters below ASCII 0x20 (which are converted into periods).
- DumpRecNum=[no|yes]:
Controls whether DumpEvt writes the record number associated with a given event log record; this is set to no by default. The record number is logged with each event and is useful for reconstructing complete logs in the order they were posted -- for instance, when the event time and date are questionable.
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
More information from SearchWindowsSecurity.com
Expert Response: Keeping track of data in the event log on Windows 2003
Tip: Effectively tune your event log auditing criteria
Checklist: How to configure the audit policy
