In this article, I will show how to work with damaged event log files. Event Log Explorer forensic edition can extract events from damaged files. Let’s take a log file (e.g. a security log file) and open it with Event Log Explorer using File-> Open Log File. Event Log Explorer opens this file as it always does. Now we will intentionally corrupt this log. I… Read More »
Although Standard Edition of Event Log Explorer works with event log files perfectly, you may need more functionality when analyzing damaged or intentionally modified event log files. I’m starting a series of articles about the advanced use of Event Log Explorer Forensic Edition with files. Let’s imagine that you examine an event log with removed events. If you believe that it’s impossible to remove events… Read More »
Now I will explain how Event Log Explorer works with disk images. If you have a disk image from an examined computer, you should mount it as a disk. If you have a real disk, you can just connect it to your PC. Let’s consider that you already mounted a disk that contains Windows folder of the examined PC. Now you can create a virtual… Read More »
Several years ago, I wrote an article about generating weekly reports about network issues. The main drawback of that method was the requirement to have Event Log Explorer running all the time (or at least running by the time when the scheduled task should be started). Since that time, we released new versions and editions of Event Log Explorer and now we can get the… Read More »
Sometimes you may need to display who logons your server except for the authenticated domain users. It could be authenticated users from the trusted domain, local users, system services, etc. First, we define that we will filter the Security log by Event Id = 4624 (as we did before). The event description of this event looks like An account was successfully logged on. Subject: … Read More »
You probably read in the documentation that Event Log Explorer provides 5 ways to filter events. In this article, I will try to explain when you should use one or the other way of filtering. First, we can arrange filters on applying time: Pre-load filter. This filter applies to the event log before loading. Only the required events will be loaded. On-load filter. This filter… Read More »
When working with event logs, you may find that you have dozens of saved event log files, which you need to review sometimes. And it’s annoying to open each log to check it. Of course, you can open all these files at once (“Open log file” dialog lets you open multiple files) or you can just drag your files from Windows Explorer into Event Log… Read More »
Recently we received a question from our customer who asked about regular backing up of system and application event logs. He wanted to backup only local logs, but let’s extend the task for remote logs as well. So our task is to backup System and Application event logs from a local computer and remote machine (SERV1) into a folder two times a week. Let’s try… Read More »
If you read the previous part of this article, you already know what Microsoft-Windows-Diagnostics-Performance log is for, why similar events have different event types and what information is “hidden” in the event details. Now it’s time to practice. First, we need to decide what we will try to optimize. Let’s display only startup, shutdown and standby/resume events. The event IDs are 100, 200 and 300… Read More »
Recently one of our clients asked us about the best way to organize a passive monitoring of their servers. The client told us that they don’t need to monitor the servers actively, but they want to have weekly reports about the problems. They tried to gather events using Windows PowerShell and export them to CSV format (to view events in Excel), but finally they gave… Read More »