The Event Log Query Tool
Microsoft Windows 2000 Server Resource Kit is the official home for the Event Log Query tool, otherwise known as Elogdmp.exe ("Elogdmp"). Elogdump requires a bit of practice to make it fit the needs of some, but it readily fills our immediate objective of exporting the data to a dump file we can easily import to MS Access. With the investment of a little development time, a macro / script can be assembled to call the tool for regularly scheduled exports of the logs to meet the needs of the organization.
Discussion
Elogdmp is a command-line tool that sends its output,
the contents of the Event Log, to a PC Screen or to a file. The logs of
a remote or local computer, whose identity is designated in the utility's
syntax (see the next section for details) can be "dumped" using the
tool, to a location specified in the syntax. Search of the output data is easy,
as it is generated as a comma-delimited text file - a fact that also makes it
readily importable into other applications.
The data that appears in the Elogdmp file includes
the information depicted in Table 1.
|
Data
Element
|
Description
|
|
Date
|
The date the
event occurred, stored in Universal Time Coordinate (UTC).
|
|
Time
|
The
time the event occurred, stored in UTC.
|
|
Source
|
The software logging the event, which can be a program
name or the identifier of a system component / subcomponent of a larger
program.
|
|
Type
|
Event severity classification:
Application and System Logs:
- Error
- Information
- Warning
Security Log:
- Success Audit
- Failure Audit
|
|
Category
|
Primarily used in the Security log, the Category
classifies events by event source. Often used as a grouping mechanism
for event types that can be subjected to success / failure auditing in
Windows 2000 Group Policy.
NOTE: Dumped log files contain "Something"
or "None" in this field, and are thus not very useful.
|
|
Event
|
The particular event type for the respective source,
identified by a number. The name of the event type is typically included in
the first line of the description (often useful to support representatives,
etc., using Source and Event data together, in troubleshooting
exercises).
|
|
User
|
The name of the user on whose behalf the event occurred: the
client ID if the event was caused by a server process or the primary ID if
impersonation is not taking place. Where appropriate, Security log
entries contain both primary and impersonation IDs, when the server allows a
process to assume the security attributes of another.
|
|
Computer
|
The name of the computer upon which the event took place.
|
|
Details
|
Additional message details that sometimes appear in the
dumped log file, depending upon the event.
|
Table 1: Event Log Information
For those of us using it for the first time, Elogdmp.exe
can be found in a couple of places, depending upon whether you installed the Windows
2000 Resource Kit, or if you simply have the CD and do not wish to install
the full kit on the computer. In the former case, the file can be located on
the hard drive of the computer upon which the Resource Kit was installed
(the search facility can be used, obviously, if you do not recall the location),
in the location chosen at installation time. An example is partially shown in Illustration
2.
Illustration 2: Locating Elogdmp.exe on a Computer with the
Resource Kit Installed
Elogdmp.exe can also be extracted from a file on the Windows
2000 Resource Kit, called compmgmt.cab, depicted in Illustration
3.
Illustration 3: The Compmgmt.cab on the CD, Home of Elogdmp.exe
We can be easily access our target in this compressed file
via the more recent versions of WinZip, Once the contents of the .cab file are
exposed, as partially depicted in Illustration 4, we can extract the
file to any destination we choose.
Illustration 4: Preparing to Extract Elogdmp.exe from Compmgmt.cab
on the CD
While any user on the network can use Elogdmp to view
the contents of the Application log on any remote computer on the
network (assuming basic access, etc., privileges), membership within the Domain
Administrators / Administrators group on the computer is required to take
advantage of opportunities to use Elogdmp as a remote administration tool
to view the contents of a remote computer's System or Security
log.
» 
Comment and Contribute
