Tweet
I am running dumpevt from a Win Server2003 SP1 machine to collect the log from another Win Server2003 SP1 machine.
dumpevt version:
1.7.0.5
I am running it with the following command:
C:\dumpevt.exe /reg=local_machine /logfile=app /outfile=c:\applog.txt /computer=[target machine name]
I get the following output:
6/5/2006 9:50:06 AM
Somarsoft DumpEvt V1.7.3, Copyright ⌐ 1995-1997 by Somarsoft, Inc.
LogType=Application
Computer=[target machine name]
SystemRoot=C:\WINDOWS
Outfile=c:applog.txt
Use HKEY_LOCAL_MACHINE for saving record number
Format=yes
DateFormat=(locale dependent)
TimeFormat=HH':'mm':'ss
FieldSeparator=;
ReplaceFieldSeparator=_
ReplaceCR=;
ReplaceLF= (tab)
StringSeparator=;
MaxMessageLen=32000
MaxFragmentLen=32000
DumpData=none
SplitDateTime=yes
DumpRecnum=no
==>LastProcessed (0) < Oldest (1), log records lost
process event log records starting with 1
==>RegOpenKeyEx rc=2 source=r_server key=SYSTEM\CurrentControlSet\Services\Event
Log\Application\r_server
==>Format message error, source=r_server type=Category msg=1515 rc=0
==>RegOpenKeyEx rc=2 source=r_server key=SYSTEM\CurrentControlSet\Services\Event
Log\Application\r_server
==>Format message error, source=r_server type=Message msg=15 rc=0
==>Format message error, source=r_server type=Message msg=17 rc=0
last event log record processed = 2
Elapsed time= 0.281 seconds, NumRecs=2
-I understand that the "log record lost" message means that it isn't writing to the registry key. Which key should I look at and what permissions should it have? Can you tell me anything more specific about the problem from the output? I tried clearing the applog and running it again with the same results. Thanks for any help you can give.
dumpevt version:
1.7.0.5
I am running it with the following command:
C:\dumpevt.exe /reg=local_machine /logfile=app /outfile=c:\applog.txt /computer=[target machine name]
I get the following output:
6/5/2006 9:50:06 AM
Somarsoft DumpEvt V1.7.3, Copyright ⌐ 1995-1997 by Somarsoft, Inc.
LogType=Application
Computer=[target machine name]
SystemRoot=C:\WINDOWS
Outfile=c:applog.txt
Use HKEY_LOCAL_MACHINE for saving record number
Format=yes
DateFormat=(locale dependent)
TimeFormat=HH':'mm':'ss
FieldSeparator=;
ReplaceFieldSeparator=_
ReplaceCR=;
ReplaceLF= (tab)
StringSeparator=;
MaxMessageLen=32000
MaxFragmentLen=32000
DumpData=none
SplitDateTime=yes
DumpRecnum=no
==>LastProcessed (0) < Oldest (1), log records lost
process event log records starting with 1
==>RegOpenKeyEx rc=2 source=r_server key=SYSTEM\CurrentControlSet\Services\Event
Log\Application\r_server
==>Format message error, source=r_server type=Category msg=1515 rc=0
==>RegOpenKeyEx rc=2 source=r_server key=SYSTEM\CurrentControlSet\Services\Event
Log\Application\r_server
==>Format message error, source=r_server type=Message msg=15 rc=0
==>Format message error, source=r_server type=Message msg=17 rc=0
last event log record processed = 2
Elapsed time= 0.281 seconds, NumRecs=2
-I understand that the "log record lost" message means that it isn't writing to the registry key. Which key should I look at and what permissions should it have? Can you tell me anything more specific about the problem from the output? I tried clearing the applog and running it again with the same results. Thanks for any help you can give.
Comment