When running DumpEvt on a Windows computer joined to a network, and on a Windows computer not joined to a network (i.e., a standalone machine), DumpEvt correctly formats the data from the networked machine, but fails to format the data from the standalone machine.
The command line syntax used from the C:\Temp directory, where the executable and INI files are located, is:
dumpevt.exe /computer=myComputer /logfile=sec /outfile=c:\temp\sel.txt /all >> c:\temp\errors.txt
The contents of the errors.txt file after running DumpEvt on a standalone machine is:
12/6/2004 2:45:30 PM
Somarsoft DumpEvt v1.7.3, Copyright (c) 1995-1997 by Somarsoft, Inc.
LogType=Security
Computer=myComputer (real name masked)
SystemRoot=C:\WINNT
Outfile=c:\temp\sel.txt
Use HKEY_CURRENT_USER for saving record number
Format=yes
DateFormat=(locale dependent)
TimeFormat=HH':'mm':'ss
FieldSeparator=,
ReplaceFieldSeparator= (blank)
ReplaceCR=^
ReplaceLF=^
StringSeparator=;
MaxMessageLen=64000
MaxFragmentLen=64000
DumpData=none
SplitDateTime=no
DumpRecnum=no
process all event log records
==>LoadLibrary rc=2 library=\\myComputer\C$\WINNT\System32\MsAuditE.dl l
==>Format message error, source=Security type=Category msg=4 rc=0
==>LoadLibrary rc=2 library=\\myComputer\C$\WINNT\System32\sp2res.dll
==>LoadLibrary rc=2 library=\\myComputer\C$\WINNT\System32\sp3res.dll
==>Format message error, source=Security type=Message msg=577 rc=0
==>Format message error, source=Security type=Category msg=2 rc=0
==>Format message error, source=Security type=Message msg=538 rc=0
==>Format message error, source=Security type=Category msg=1 rc=0
==>Format message error, source=Security type=Message msg=515 rc=0
==>Format message error, source=Security type=Message msg=528 rc=0
==>Format message error, source=Security type=Message msg=576 rc=0
==>Format message error, source=Security type=Category msg=9 rc=0
==>Format message error, source=Security type=Message msg=680 rc=0
I can specify "no" to "Format" in the INI and receive an unformatted dump, and then correlate the data using a third-party tool to format the data in like manner as produced from a networked machine, but that's too much like work. I'd rather do it using DumpEvt, if possible.
Has anyone else had this problem of formatting errors when dumping from a standalone machine, do you have a fix, and are you willing to share?
Again, I'm looking for a quick fix using DumpEvt and would rather not deal with a third-party workaround as I already have a backup plan should DumpEvt formatting ultimately fail.
Thanks in advance for the help.
The command line syntax used from the C:\Temp directory, where the executable and INI files are located, is:
dumpevt.exe /computer=myComputer /logfile=sec /outfile=c:\temp\sel.txt /all >> c:\temp\errors.txt
The contents of the errors.txt file after running DumpEvt on a standalone machine is:
12/6/2004 2:45:30 PM
Somarsoft DumpEvt v1.7.3, Copyright (c) 1995-1997 by Somarsoft, Inc.
LogType=Security
Computer=myComputer (real name masked)
SystemRoot=C:\WINNT
Outfile=c:\temp\sel.txt
Use HKEY_CURRENT_USER for saving record number
Format=yes
DateFormat=(locale dependent)
TimeFormat=HH':'mm':'ss
FieldSeparator=,
ReplaceFieldSeparator= (blank)
ReplaceCR=^
ReplaceLF=^
StringSeparator=;
MaxMessageLen=64000
MaxFragmentLen=64000
DumpData=none
SplitDateTime=no
DumpRecnum=no
process all event log records
==>LoadLibrary rc=2 library=\\myComputer\C$\WINNT\System32\MsAuditE.dl l
==>Format message error, source=Security type=Category msg=4 rc=0
==>LoadLibrary rc=2 library=\\myComputer\C$\WINNT\System32\sp2res.dll
==>LoadLibrary rc=2 library=\\myComputer\C$\WINNT\System32\sp3res.dll
==>Format message error, source=Security type=Message msg=577 rc=0
==>Format message error, source=Security type=Category msg=2 rc=0
==>Format message error, source=Security type=Message msg=538 rc=0
==>Format message error, source=Security type=Category msg=1 rc=0
==>Format message error, source=Security type=Message msg=515 rc=0
==>Format message error, source=Security type=Message msg=528 rc=0
==>Format message error, source=Security type=Message msg=576 rc=0
==>Format message error, source=Security type=Category msg=9 rc=0
==>Format message error, source=Security type=Message msg=680 rc=0
I can specify "no" to "Format" in the INI and receive an unformatted dump, and then correlate the data using a third-party tool to format the data in like manner as produced from a networked machine, but that's too much like work. I'd rather do it using DumpEvt, if possible.
Has anyone else had this problem of formatting errors when dumping from a standalone machine, do you have a fix, and are you willing to share?
Again, I'm looking for a quick fix using DumpEvt and would rather not deal with a third-party workaround as I already have a backup plan should DumpEvt formatting ultimately fail.
Thanks in advance for the help.
Comment