The following was excerpted from our recent Event Alarm product update announcement:
It seems simple enough, doesn't it? At Dorian, we're seeing the question more and more, and we wish we had a better answer. But - regardless of what log management package you choose - if you want to review an EVTX log (that is, a log generated by Windows ® Server 2008 or Windows Vista ™) you're going to have to open it on a Windows Server 2008 or Windows Vista machine.
Why? Because the new Windows Event Log API functions are only available inside Windows Vista and later operating systems, legacy Windows operating systems like XP and 2003 cannot read previously saved EVTX files at all. There is simply no forward compatibility for consuming saved EVTX files. Period.
And while the legacy Event Log API can be used to read some of the events from an "active" EVTX file (that is to say an EVTX file currently being maintained by the EventLog service on a Vista machine), it cannot properly read and parse some events recorded by the new API.
Many remember when vending machines started accepting paper money. Whenever one actually had paper money, it seemed the "legacy" coin-only machines were all that were around. Try as you might, that XP machine isn't going to read that EVTX log. Don't thank us - thank Microsoft.
Our LogRefiner technology helps manage both formats (EVT and EVTX) side-by-side. Even with this snazzy new technology though, if there are any EVTX logs in the mix, plan on installing our software and managing from a Windows Vista or Windows Server 2008 machine.
Meanwhile, got change for a dollar?
Subscribe to:
Post Comments (Atom)
2 comments:
Is anyone aware of an open source project to reverse engineer the ".evtx" file format? Or any insight into the file layout?
[obRegret: wish I had the time...]
We are unaware of any such project. The EVTX format is a proprietary binary XML file structure whose symbols, tokens, etc must be rendered using operating system functions. Unfortunately, those operating system functions are only available on Windows Vista, Server 2008, and later operating systems.
Our recommendation is to take advantage of virtual machines (e.g. on Microsoft Virtual PC) to run Windows Vista on Windows XP as needed. Our log management software titles can properly work with legacy EVT files alongside EVTX files when run on a Vista or later operating system. We call this technology LogRefiner.
Post a Comment