The following was excerpted from our recent Event Alarm product update announcement:
It seems simple enough, doesn't it? At Dorian, we're seeing the question more and more, and we wish we had a better answer. But - regardless of what log management package you choose - if you want to review an EVTX log (that is, a log generated by Windows ® Server 2008 or Windows Vista ™) you're going to have to open it on a Windows Server 2008 or Windows Vista machine.
Why? Because the new Windows Event Log API functions are only available inside Windows Vista and later operating systems, legacy Windows operating systems like XP and 2003 cannot read previously saved EVTX files at all. There is simply no forward compatibility for consuming saved EVTX files. Period.
And while the legacy Event Log API can be used to read some of the events from an "active" EVTX file (that is to say an EVTX file currently being maintained by the EventLog service on a Vista machine), it cannot properly read and parse some events recorded by the new API.
Many remember when vending machines started accepting paper money. Whenever one actually had paper money, it seemed the "legacy" coin-only machines were all that were around. Try as you might, that XP machine isn't going to read that EVTX log. Don't thank us - thank Microsoft.
Our LogRefiner technology helps manage both formats (EVT and EVTX) side-by-side. Even with this snazzy new technology though, if there are any EVTX logs in the mix, plan on installing our software and managing from a Windows Vista or Windows Server 2008 machine.
Meanwhile, got change for a dollar?