FAQ: The Eventlog of Windows

B 1: I want to run EventSave in a scheduled job and direct all the output into a text file.

1. Copy EventSave.exe into d:\events
2. Create a file "d:\events\es.cmd" with the following line of code:
   d:\events\eventsave d:\events > d:\events\es.txt
3. Schedule a job running d:\events\es.cmd
4. If you want to save the logs on remote computers, make sure your job runs with an account that has Administrator rights on all these remote machines. With the local system account (the default account for the Scheduler service) of NT4 you can't access any remote machine!

Some people think when they run a job at midnight and it fails, the reason is that nobody is logged on interactively. This is not true. When the job needs to access the network, but is scheduled to be run under the system account, it will fail even when an admin is logged on during thie time! You need to either run the scheduler service under an admin account or you need to upgrade the scheduler service. For instance, IE5 comes with an option to install a replacement for the scheduler service, which allows you to run each job under a different account.

B 2: I can't for the life of me figure out how to call EventSave using the AT command. I can get AT to do the current machine but the /A seems to get lost.

Use a batch file or try it with double quotes around the commands, like
at 5:00 "Eventsave /a"
Normally NT 4.0 (contrary to NT 3.x) does not expect double quotes, but there exists - you guess it - a Registry value to change the "normal" behaviour into its opposite.

B 3: In the readme.txt file you gave an example of eventsave being run every 5 days. Since the filename is by month what will the filenames be? Will it overwrite the files or add the day to the filename? I'm especially concerned about this because we archive our logs every week, not every month.

All events of a log and a month go into the same file. For instance, you save your files on March, 28. and the next time on April, 5. As a result, all events created during the last days of March, are added to the logfiles for March and all further events are put in new logfiles for April.
EventSave never will overwrite events in a destination file, it always only will append newer events to the appropriate files or create new files, if necessary.

B 4: Is it possible to save logs to a remote path?

Yes. Just use the UNC for the target path: \\Machinename\Sharename\Subdir
There is no need to map a drive to the remote path.

B 5: Is it possible to save logs of different machines into different directories?

If you call EventSave with the /a option, it will copy all logs of all machines into the same directory. Otherwise you have the possibility to select a different destination directory for every machine. I do suggest to use only one directory for all machines, otherwise you can't make full use of Elwiz.

But if you prefer to move the events from SERVER1 and SERVER2 into existing local directories on each machine, you could use a batch file like the following:
"c:\Program Files\Heysoft\eventsave.exe" \\SERVER1\c$\events /CSERVER1
"c:\Program Files\Heysoft\eventsave.exe" \\SERVER2\c$\events /CSERVER2

B 6: I was wondering if you have a version of EventSave for the Alpha based NT servers.

I am sorry, but such a version is not available. But because the program works over the LAN, you can install it on a network machine with an Ix86 processor and let it save the eventlogs from your alpha machines from there.

B 7: EventSave moves all events of a month into the same file, but I need to run some of the Report Event Tools for daily reports

In case you want to evaluate your logs daily and archive them as well, you create the following batch file and schedule it to run every day at 0:00. We assume all programs are located in the directory d:\Events

rem make sure a subdirectory Daily for daily reports exists!
if not exist d:\events\daily\nul md d:\events\daily

rem make sure a subdirectory monthly for archived logs exists!
if not exist d:\events\monthly\nul md d:\events\monthly

rem first delete old logs:
del d:\Events\Daily\*.evt

rem now copy new events:
d:\Events\EventCopy d:\Events\Daily

rem now archive new events into a different directory:
d:\Events\EventSave d:\Events\monthly

rem now do your evaluation, for instance:
d:\Events\r528 d:\Events\Daily /m /z+
d:\Events\r529 d:\Events\Daily /m /z+

B 8: I cannot seem to read the outputted files with Notepad

EventSave does not change the format of the evt file. This means you either need to use NT's native Eventviewer or a program like Elwiz from this site to read the saved evt files.
In case you want to save the events into csv files, you should read Answer A28.

B 9: What is the -ANSI switch good for?

The -ANSI switch is only for the output of the messages of the programm. In English, it does not matter to use this switch or not. But in other languages, like German, there are characters (umlauts, for instance) which will be displayed differentially on the command line and in the GUI of NT.

B 10: How do I need to configure the Firewall of Windows XP SP2 for EventSave?

You just need to enable File an Print Sharing.

B 11: Is there an option available, for example with EventSave+, that would compress the resulting file when it is extracted?

No, there is no such option.

But I think there are command line tools available for compressing files. So you could create a batch file that first runs EventSave and afterwards another tool that compresses the resulting files. The last line of your batch file would delete all *.evt files in this directory.

The reason EventSave does not compress is because no event viewer and evaluation tool would be able to read the files anymore.

B 12: Is there a way to tell EventSave to use file names like Computer_Eventlog_Year_Month.evt?

No. You need to consider that the other tools from Heysoft which work with event files use the naming convention Year_Month_Computer_Eventlog.evt. If EventSave would change this, all other programs would have a problem interpreting the file names correctly.

But if you really need to, you could easily change the file names of the evt files of the last month with the following command:

for /f "delims=_ tokens=1,2,3,4" %A in ('dir 2006_04*.evt /b') do rename %A_%B_%C_%D %C_%A_%B_%D

In case you want to run this command within a batch file, you need to double the % characters.

B 13: Why should I never use EventSave to save and delete events from a Windows Vista machine?

After collecting the events, EventSave deletes them on the source machines.
With Windows 6 the eventlog format changed. The events are gathered in evtx files now. It is still possible to backup the events to evt files, but you loose information if you do so. This is, for example, the exact time when the event occurred (evt files save time with an accuracy of 1 second, but evtx files save time with an accuracy of 1 millisecond) or the IDs of the process and even thread of the program which created the event.

If you enforce EventSave with option /V6 to collect and clear events from machines running Windows version 6 or above (Vista and later), you will loose part of the information of the events, which can not be restored later!

C 1: There are some current eventlogs missing in the eventlog tree, though the machines in question are up and running.

Since version 3, Elwiz does only show the current event logs of the machines in its watch list.
If a machine's current logs do not show up in the eventlog tree, you need to check whether this machine is on the watch list and whether the EventWatcher3 service on this machine is connected to the Event Collector Service on your machine.

C 2: I want filters on things I want to see, NOT what I don't want to see. Reverse of the way you are doing it.

I don't think this is a good idea. There are lots of unknown events. Probably anybody will fail to add some important seldom events to the list. (The warnings which reported errors on my HD days before it really crashed come to mind.)

With my philosophy you won't miss critical events, with yours you would. You can take a logfile, select an entry, press the right mouse button, choose "Add entry to Watcher filter rules... " and build your filter files very fast this way. And if you install new software (which creates new log entries), you will get them automatically (with the option to add them to the filter list) with my method.

Anyway, Elwiz allows to do what you want. There are "Show Always" and "Ignore Always" filter rules. You could, for instance, take any Print event to create a filter rule that tells Elwiz to ignore all Print events. Next, you define another rule, which says, that Print events 20 (Changing of printer drivers) should always alert.
As you see, it is not necessary to create Ignore rules for every event ID.

C 3: Elwiz has the eventlog table option "Add Item to Watcher Filter Rules", why does it not have a "Remove Item from Watcher Filter Rules" option, too?

How should this option work? There are very many possibilities why a specific event is filtered, e.g.:

• all events of it's category
• all events with this ID
• all events with this ID and a certain string
• all or a specific machine
• all or a specific User ID

and nearly every combination of the above. There can be even multiple entries which filter a certain event. For instance, you first decide to filter all Print events with ID 10 for all users on machine ABC. Later you decide to filter all events of the Print category for user Joe on all machines.
If there would be a "Remove" option, and you click on a Print 10 event for user Joe on machine ABC, which entry in the filter list should be removed? I think the results would not always be as expected.
What you need to do is the following:
Select the Filter Rules sheet, select the appropriate entry and delete it with the help of its context menu. This way  you always know what you are doing ;-)

C 4: We have 2 domain admins with 2 different accounts and we would like those event notices to be sent to two different Workstations, is this possible?

You require a special version of the Eventwatcher service for this purpose. When registering, notice how many admins should be able to watch the events at the same time. The price for n admins will be n times as much as the normal version, by the way.

C 5: We operate a WAN across Europe. As central site we are very charmed with the alert option in your software, but we want to be sure it can work across domains.

You need to provide the domain name to which the machine running Elwiz belongs to. The machines you want to watch can be in every domain, there is no limit (except the number of licences you did buy ;)

C 6: Why does Elwiz in "Client Info | Misc" for Windos 2000 machines not show the hard disk usage?

It is possible to deactivate this perfmon object. Up to NT 4 it was enabled by default, but in NT 5 it is disabled. Unfortunately this change is not documented.
The command for enabling the object is: diskperf -yv You need to reboot to make the changes work.

C 7: Why do I need to provide the names of the domains when I want to register Elwiz or Report Event?

It is only a simple measure of copy protection. net config rdr on the machines where you want to run the software will tell you the valid name of the Workstation domain that you need to provide.

No. If you want to license the software for instance for 20 domains, you can get a campus license as well.

C 8: I want to watch machines in different domains with Elwiz. For how many domains do I need to register Elwiz?

You only need to register Elwiz for the domain where you want to run the program. The watched machines may be members of any domain. Of course you need the appropriate rights to access the event logs on these machines.

C 9: We want to view logs on machines with disabled admin shares.

You have 4 options:

1. Do not view the logs of this machine with Elwiz
2. Enable admin shares again
3. Create a new share C$ (where C is the drive with the logs) and give it read access for your account.
   Warning: NT deletes this share every time it is rebooted when admin shares are disabled.
4. Create a new share Cx$ (where C is the drive with the logs) on all machines where you want to view the logs and give it read access for your account. Set the ending (here x$) in Elwiz' Options > Misc sheet

C 10: May the EventWatcher service run under the System account?

The System account does have no access to network connections.
Therefore the ECS would need to run on the same machine where the EventWatcher service is running under the System account.

D 1: Unfortunately when i run a Report Event tool, the following appears:

The Report Event tools all do only work with saved eventlog files. This is because NT itself does not allow other programs to access the data of a log currently in use. The first step you have to do is running EventSave.exe (preferably with a separate destination directory). Then run the tools in this directory.

D 2: How does the installation of the Shareware version of a Report Event tool work?

All current shareware versions install silently when run for the first time, without doing anything else. Be aware that you can test the shareware versions only with a single account! For instance, if you did install a tool under the admin account, you can't run it as well in the Scheduler service, if this service runs under a different account. You need to register when you want to run the tools under different accounts. Another good reason for registering is that you can't set all options in the shareware versions.

D 3: I would like to show the output of R528 on a web page, how can I do this?

Nick Tonkin wrote a nice Perl script that does what you want. (BTW, there is a small error on his page - of course R528 will process logs from all versions of NT, not only 4.0 Server.)

D 4: Do the tools allow me to scan event logs in multiple domains from one server?

You can use EventSave to save all your logs onto one machine. Than you can evaluate all logs with one license of the tools. The tools will only run on machines of the domain(s) you named in the order form!
If you want to evaluate the events of every domain in this domain itself, you need a registered version for every domain.

D 5: Does print event 10 report the correct number of pages, even if the print job was canceled?

If print event 10 does report the right number of printed pages for non-canceled print jobs, it will do so when a job is canceled, too. This is possible because the event is created when printing is finished, not when it starts. But as you can read in the documentation of RP10, there are many occasions (for instance when printing multiple copies of a document with Microsoft Word for Windows 7.0) where the wrong number of pages is reported by default.

D 6: The Shareware version of R528 does not seem to work: I open Event Viewer, open Security Log, go Save As rep.evt file into c:\report folder. Close Event Viewer. Run R528 c:\report /A /DC

Ooops, just have a look at the readme file:
"You have to run EventSave, EventSave+ or EventCopy before you can use any of the other "Report Event for Windows NT" tools."

This is because R528 only tries to evaluate Security logs. Therefore it expects a file with the string "sec" in its name, as the freeware program EventSave assigns automagically. This naming convention does allow R528 to skip application and system evt files.

When you rename your file rep.evt into security.evt, R528 will work!

D 7: Is there a way to de-merge a large file created by MER? I only need events with ID 560 from this file.

You can tell MER to copy only specific events, for instance:
MER /ttarget.evt source.evt /e560
This command will only copy events with ID 560 from source.evt to target.evt

D 8: There is a new version of EventSave+ adapted to Windows Vista, why are there no such versions of EventCopy and ECA?

When using EventSave(+) you can loose information, because the events will be cleared after they are backed up. All information not converted from evtx format to evt format will be lost forever. (See answer B13, also.)
Because neither EventCopy nor ECA delete the original events after they are copied to the backup files, there is no risk to loose information with both tools.