Event Log Explorer Forensic Edition – working with damaged logs or disks

In this article, I will show how to work with damaged event log files. Event Log Explorer forensic edition can extract events from damaged files. Let’s take a log file (e.g. a security log file) and open it with Event Log Explorer using File-> Open Log File. Event Log Explorer opens this file as it always does. Now we will intentionally corrupt this log. I… Read More »

Files in Event Log Explorer Forensic Edition. Searching for removed events

Although Standard Edition of Event Log Explorer works with event log files perfectly, you may need more functionality when analyzing damaged or intentionally modified event log files. I’m starting a series of articles about the advanced use of Event Log Explorer Forensic Edition with files. Let’s imagine that you examine an event log with removed events. If you believe that it’s impossible to remove events… Read More »

Event Log Explorer Forensic Edition

Recently we released a new edition of Event Log Explorer – Forensic Edition. Currently it has a beta version status – the final release will appear after we complete the documentation and add extra forensic features. Here I will describe the difference between the standard and forensic editions. The program keeps all features of the Standard Edition, and you commonly don’t need to use the… Read More »

Setting up Windows to read events from remote computers over a local network.

Reading event logs from remote computers is crucial for network audit. Both Event Log Explorer and Windows Event Viewer applications allow the system administrators to read event logs remotely. However sometimes (mainly in no Active Directory environment) sysadmins have problems with accessing remote event logs. In this article, I’ll explain how to setup Windows to make event logs accessible over a network. As a rule,… Read More »

Event Log Explorer 5 beta 2

Recently we released a new beta of Event Log Explorer 5 and I will show you what features we added. One of the great new features is a Task. The task defines what events will be picked, which computers from and how they will be displayed. Example of a task: Display all warning, error and critical events from System and Application logs of VM2012 and… Read More »

How to display logons of non-domain users to the system

Sometimes you may need to display who logons your server except for the authenticated domain users. It could be authenticated users from the trusted domain, local users, system services, etc. First, we define that we will filter the Security log by Event Id = 4624 (as we did before). The event description of this event looks like An account was successfully logged on. Subject:                … Read More »

Windows Event. Level, Keywords or Type.

When you take the first look to Event Log Explorer, you may notice Type column in the event list. In the same time, Windows Event Viewer doesn’t have this column, which may confuse you. If you worked with Windows Event Viewer in old times (with Windows XP or below), you could see the Type column. There were 5 types of events that can be logged… Read More »