In a previous post, we discussed how EVT files contain references to other message files, which are parsed together with the EVT data to produce readable events. Typically, when you relocate EVT files away from the network where they were generated, you cannot completely parse all of the data fields properly. However, there is a very useful yet undocumented/underdocumented command-line switch you can use with the Microsoft Event Viewer to force it to look elsewhere for critical message files. That command line switch is /AUXSOURCE
For example, if you had a security log that originated from a Windows® 2003 server, but you were not currently connected to the network where that log came from, you could use the /AUXSOURCE switch to load message data from a Windows 2003 server that was on your local network instead. The command-line syntax would look like this:
mmc /a c:\windows\system32\eventvwr.msc /auxsource=REFERENCECOMPUTER
where REFERENCECOMPUTER is the network name or IP address of the computer that will act as the lookup computer for message file resolution.
Once you load the Event Viewer with the AUXSOURCE flag, you can then open up your saved EVT file, and the Event Viewer will always use the REFERENCECOMPUTER for message file data when it attempts to parse events from the saved log.
There are some caveats with this approach that are listed below:
1.) The AUXSOURCE switch is only available for use on Windows XP and Windows 2003 versions of the Event Viewer, not Windows 2000 versions.
2.) AUXSOURCE will not help you properly view saved DNS Server, Directory Service, or File Replication Service logs from a Windows XP workstation or Windows 2003 member server, even if you point the REFERENCECOMPUTER to a domain controller. Instead, you have to be logged on to a Domain Controller to view these saved files.
3.) If you use AUXSOURCE with Application or System logs, you may still get incomplete Description fields, because chances are the REFERENCECOMPUTER will not have all the same software and hardware installed as the machine where the EVT file came from.
Fortunately, we have decided to provide functionality that exceeds what the /AUXSOURCE switch can do in the upcoming release of Event Analyst. The new version of Event Analyst will allow you to use any Windows machine available on the network (e.g. Windows NT, Windows 2000, Windows XP, Windows 2003) as a reference computer for message files for saved EVT files. No minimum OS platform is required for this functionality - Event Analyst can be installed on Windows NT 4.0, Windows 2000, Windows XP, Windows 2003, etc.
Wednesday, September 5, 2007
Subscribe to:
Posts (Atom)