Thursday, September 4, 2008

Why Can't A Windows Server 2008 or Vista Log Be Viewed On My XP Machine?

The following was excerpted from our recent Event Alarm product update announcement:

It seems simple enough, doesn't it? At Dorian, we're seeing the question more and more, and we wish we had a better answer. But - regardless of what log management package you choose - if you want to review an EVTX log (that is, a log generated by Windows ® Server 2008 or Windows Vista ™) you're going to have to open it on a Windows Server 2008 or Windows Vista machine.

Why? Because the new Windows Event Log API functions are only available inside Windows Vista and later operating systems, legacy Windows operating systems like XP and 2003 cannot read previously saved EVTX files at all. There is simply no forward compatibility for consuming saved EVTX files. Period.

And while the legacy Event Log API can be used to read some of the events from an "active" EVTX file (that is to say an EVTX file currently being maintained by the EventLog service on a Vista machine), it cannot properly read and parse some events recorded by the new API.

Many remember when vending machines started accepting paper money. Whenever one actually had paper money, it seemed the "legacy" coin-only machines were all that were around. Try as you might, that XP machine isn't going to read that EVTX log. Don't thank us - thank Microsoft.

Our LogRefiner technology helps manage both formats (EVT and EVTX) side-by-side. Even with this snazzy new technology though, if there are any EVTX logs in the mix, plan on installing our software and managing from a Windows Vista or Windows Server 2008 machine.

Meanwhile, got change for a dollar?

Event Alarm Monitors EVT and EVTX Logs, Side-By-Side!

Event Alarm Version 6 was released in late August. This week, we sent out our official version update announcement.

Just like our prior Event Analyst and Event Archiver releases, this version of Event Alarm is completely Microsoft Vista™ and Windows Server ® 2008 compatible, and features our revolutionary LogRefiner™ technology. You can download Version 6 of Event Alarm here.

We've already mentioned in a bunch of posts that trying to read legacy EVT files on Windows Vista and Server 2008 is quite a chore, with missing fields and information being quite common.

Well here's the good news. Thanks to our pioneering LogRefiner™ technology, you can remotely monitor EVT and EVTX files natively and side-by-side when Event Alarm is installed to a Microsoft Vista or Server 2008 computer. No weird conversions or intermediate steps are necessary, and you get all the data parsed correctly from both log formats the first time. For those admins who are attempting to run Windows Vista or Server 2008 on their workstations, this is a big plus because now you can use Event Alarm as your preferred monitoring solution for all of your Microsoft Windows computers, regardless of how many have been migrated forward to Vista/Server 2008 and the new EVTX format.

On top of Event Alarm's remote, agentless log monitoring, when Event Alarm is purchased as part of Dorian Software's Total Event Log Management Solution™, you effectively have a comprehensive platform for archiving, analyzing, and monitoring event log data from EVT and EVTX log files throughout your network, all from a single install point, network topology permitting.

Here's the full launch announcement for Event Alarm Version 6, complete with a comprehensive feature listing.