Re: dumping logs in native format

Paste in a copy of your ini file, and a shot of what it puts to the screen when you run it.

Re: dumping logs in native format

<div class="ubbcode-block"><div class="ubbcode-header">Quote:</div><div class="ubbcode-body">Originally posted by cmccullough:
<span style="font-weight: bold">Paste in a copy of your ini file, and a shot of what it puts to the screen when you run it.</span></div></div>

I'm redirecting stdout to a file called dumpstatus.txt when dumpevt runs, so it doesn't put anything to the screen, per se. the contents of dumpstatus.txt are after the dumpevt.ini file, below.

dumpevt.ini
; DateFormat=MM/dd/yy
Format=no
MaxMessageLen=32000
ReplaceCR=^
ReplaceLF=`
FieldSeparator=,
ReplaceFieldSeparator=
; MaxFragmentLen=255
; StringSeparator=;
; DumpData=hex
; DumpRecnum=yes
SplitDateTime=yes

dumpstatus.txt
8/31/2005 8:23:50 AM
Somarsoft DumpEvt V1.7.3, Copyright © 1995-1997 by Somarsoft, Inc.
LogType=Security
Computer=(local)
SystemRoot=C:\WINDOWS
Outfile=c:\ntauditscripts\20050831\20050831-security.evt
Use HKEY_CURRENT_USER for saving record number
Clear event log after dumping
Format=no
DateFormat=(locale dependent)
TimeFormat=HH':'mm':'ss
FieldSeparator=,
ReplaceFieldSeparator= (blank)
ReplaceCR=^
ReplaceLF=`
StringSeparator=;
MaxMessageLen=32000
MaxFragmentLen=32000
DumpData=none
SplitDateTime=yes
DumpRecnum=no
==>Newest(1) < LastProcessed (794), log wrapped or was cleared
process event log records starting with 1
last event log record processed = 1
clearing event log
Elapsed time= 0.015 seconds, NumRecs=1

Re: dumping logs in native format

After re-reading your original post, I am not sure that I understand the problem.

The Format=yes/no switch only controls whether DumpEvt formats the event description, category, and type. This switch has nothing to do with CSV output. If format=no, then the resulting event data is just dumped to the file without any formatting attempted.

Re: dumping logs in native format

<div class="ubbcode-block"><div class="ubbcode-header">Quote:</div><div class="ubbcode-body">Originally posted by kstanush:
<span style="font-weight: bold">After re-reading your original post, I am not sure that I understand the problem.

The Format=yes/no switch only controls whether DumpEvt formats the event description, category, and type. This switch has nothing to do with CSV output. If format=no, then the resulting event data is just dumped to the file without any formatting attempted.</span></div></div>

Sorry...I'll try to be more succinct. What I am trying to figure out is a single-line DumpEvt command to dump the log in native format and then clear it. It would seem, though, that there is no way to do it with a single command. I can get a dump of the log in native format by using the /backup switch, but then to clear the log, I have to dump the log *again* to a tmp file using the /clear switch, and then I have to delete the tmp file. This seems to me like extra work for zero value added, so there must be something I'm missing. Is there a single line command with DumpEvt that will dump the log in native format, and then clear the log?

Re: dumping logs in native format

No, I don't think you can do this with a single command. DumpEvt was really designed to create an output file of the event log.

If you need to just create a backup of the event log, then clear it, there are probably Microsoft Resource Kit utilities to do just that.

Re: dumping logs in native format

I know this topic is a little old, but I use EventSave to dump all of my eventlogs. These retain the native format so that event Viewer or Hyena's Event Filtering can read them. It automatically creates a file for each computer with the month, and appends data for that month into the file, regardless of how often you run it. And it's free.
http://www.heysoft.de/Frames/f_sw_es_en.htm