ELDump

<body stylesrc="ELDump.htm"> <p> </p>  <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr> <td></td> <td align="right"><div align="right"><table border="2" cellpadding="3" cellspacing="0" bordercolor="#008080" bordercolordark="#008080" bordercolorlight="#008080"> <tr> <td align="right"><font color="#008080" size="1" face="Arial"><a name="top">contents</a>:</font><font size="1" face="Arial"><br> <a href="#Arguments">Arguments</a><br> <a href="#Examples">Examples</a><br> <a href="#Dump of ELSavClr saved logs">Dump of ELSavClr saved logs</a><br> <a href="#Download and installation">Download and installation</a><br> <a href="#Version history">Version history</a></font></td> </tr> </table> </div></td> </tr> <tr> <td valign="bottom"><a name="ELDump"><font color="#008080" size="5" face="Arial"><strong>ELDump</strong></font></a></td> <td align="right" valign="bottom"></td> </tr> </table> <p><font face="Arial">ELDump is a tool to dump the contents of a NT event log as text. </font></p> <p><font face="Arial">It is very much like the tool DumpEL from the NT Resource</font> <font face="Arial">Kit, but ELDump is more versatile and sometimes quite a lot faster. Most important ELDump can:</font> <ul> <li><font face="Arial">Dump from active event logs or from saved event logs with full message texts.</font></li> <li><font face="Arial">Filter on all the same fields as the Event Viewer.</font></li> <li><font face="Arial">Dump only the message strings instead of the full message texts. This is a lot faster and also makes it easier to parse the messages with other programs.</font></li> <li><font face="Arial">Look for the message texts on an other server. This means you get message text even if all the applications and drivers that has logged messages are not installed on the machine where you are running ELDump.</font></li> <li><font face="Arial">Dump several logs from several servers with one invocation of the ELDump command.</font></li> <li><font face="Arial">Easily seach and dump logs saved with the <a href="http://www.ibt.ku.dk/jesper/elsavClr/">ELSavClr</a> tool.</font></li> </ul> <p><font face="Arial">ELDump is written by <a href="http://www.ibt.ku.dk/jesper" target="_top">Jesper Lauritsen</a>. The executable is in the public domain. Source code is not available.</font></p> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr> <td><font color="#008080" size="5" face="Arial"><strong><br> <a name="Arguments">Arguments</a></strong></font></td> <td align="right" valign="bottom"><font size="2" face="Arial">(<a href="#top">top</a>)</font></td> </tr> </table> <p><font face="Arial">ELDump takes the following options and arguments:</font></p> <table border="0" width="100%"> <tr> <td valign="top" width="20%"><strong><font face="Arial">-f <em>file</em></font></strong></td> <td><font face="Arial">The file where the dump text is written. Default is to write to stdout. Don't use -f, use standard NT redirection with > or >> instead!</font></td> </tr> <tr> <td valign="top" width="20%"><strong><font face="Arial">-s \\<em>server</em></font></strong></td> <td><font face="Arial">Server for which to dump the event log. Default is the current machine, unless -F or -S is specified. You can leave out the -s in front of the server name if you want to. You can specify as many servers as you like.</font></td> </tr> <tr> <td valign="top" width="20%"><strong><font face="Arial">-F <em>saved-log</em></font></strong></td> <td><font face="Arial">Name of a file with a saved event log which is dumped. You can leave out the -F in front of the file name if you want to. You can specify as many file names as you like.</font></td> </tr> <tr> <td valign="top" width="20%"><strong><font face="Arial">-S ...</font></strong></td> <td><font face="Arial"><a href="#Dump of ELSavClr saved logs">See below</a> for description of the -S option.</font></td> </tr> <tr> <td valign="top" width="20%"><strong><font face="Arial">-l <em>log</em></font></strong></td> <td><font face="Arial">Name of log to dump. Must be one of <strong>system</strong>, <strong>application</strong> or <strong>security</strong>. If -F is used and the file name starts with s, a or u this chooses a default log, otherwise the default is <strong>application</strong>. You can shorten the log names as much as you like and you can leave out the -l in front of the log name if you want to. You can specify one, two or three log names to dump one, two or three logs.</font></td> </tr> <tr> <td valign="top" width="20%"><font face="Arial"><strong>-t</strong></font></td> <td><font face="Arial">Separate the output fields with tabs. Default is space, unless -c is specified.</font></td> </tr> <tr> <td valign="top" width="20%"><strong><font face="Arial">-c <em>c</em></font></strong></td> <td><font face="Arial">Separate the output fields with the character <em>c</em>. If -c is specified -t must not also be specified.</font></td> </tr> <tr> <td valign="top" width="20%"><font face="Arial"><strong>-q</strong></font></td> <td><font face="Arial">Write errors and warnings to the application event log. Default is to write errors to stderr. This options is mostly useful when ELDump is run in the background, like for example from the scheduler. This requires registration with -R. </font></td> </tr> <tr> <td valign="top" width="20%"><font face="Arial"><strong>-K</strong></font></td> <td><font face="Arial">Dump log entries with centuries in the entry date.</font></td> </tr> <tr> <td valign="top" width="20%"><font face="Arial"><strong>-G</strong></font></td> <td><font face="Arial">Dump log entries with GMT times instead of local times.</font></td> </tr> <tr> <td valign="top" width="20%"><font face="Arial"><strong>-L</strong></font></td> <td><font face="Arial">Write to the output dump file which event logs are being dumped. This is useful if you dump more than one log with one invocation of the ELDump command.</font></td> </tr> <tr> <td valign="top" width="20%"><strong><font face="Arial">-m <em>source</em></font></strong></td> <td><font face="Arial">Only dump messages with this source.</font></td> </tr> <tr> <td valign="top" width="20%"><strong><font face="Arial">-e <em>n1 n2 ...</em></font></strong></td> <td><font face="Arial">Only dump messages with these ids.</font></td> </tr> <tr> <td valign="top" width="20%"><font face="Arial"><strong>-r</strong></font></td> <td><font face="Arial">Reverse the meaning of -e. That is, only dump messages that do not have the ids specified with -e.</font></td> </tr> <tr> <td valign="top" width="20%"><strong><font face="Arial">-C <em>category</em></font></strong></td> <td><font face="Arial">Only dump messages with this category.</font></td> </tr> <tr> <td valign="top" width="20%"><strong><font face="Arial">-T <em>t1 t2 ...</em></font></strong></td> <td><font face="Arial">Only dump messages with these types. You can specify one or more of <strong>Error</strong>, <strong>Warning</strong>, <strong>Information</strong>, <strong>AuditSuccess</strong>, <strong>AuditFailure</strong>. You can shorten the names as much as you like and you can leave out the -T in front of the names if you want to.</font></td> </tr> <tr> <td valign="top" width="20%"><font face="Arial"><strong>-Q</strong></font></td> <td><font face="Arial">Keep quiet about message texts not found, etc.</font></td> </tr> <tr> <td valign="top"><strong><font face="Arial">-o <em>computer</em></font></strong></td> <td><font face="Arial">Only dump messages about this computer.</font></td> </tr> <tr> <td valign="top"><strong><font face="Arial"><em>-</em>u <em>userid</em></font></strong></td> <td><font face="Arial">Only dump messages about this userid. The userid can be a simple userid or at the form <em>domain\userid</em>.</font></td> </tr> <tr> <td valign="top"><strong><font face="Arial">-a <em>time</em></font></strong></td> <td><font face="Arial">Only dump messages after or at the time specified as yyyymmddhhmmss. You can leave out the century and seconds, minutes, hours and day number. You can only use one of -a and -A.</font></td> </tr> <tr> <td valign="top"><strong><font face="Arial">-A <em>hours</em></font></strong></td> <td><font face="Arial">Only dump messages from after the specified number of hours ago. You can only use one of -a and -A.</font></td> </tr> <tr> <td valign="top"><strong><font face="Arial">-b <em>time</em></font></strong></td> <td><font face="Arial">Only dump messages before the time specified as yyyymmddhhmmss. You can leave out the century and seconds, minutes, hours and day number. You can only use one of -b and -B.</font></td> </tr> <tr> <td valign="top"><strong><font face="Arial">-B <em>hours</em></font></strong></td> <td><font face="Arial">Only dump messages from before the specified number of hours ago. You can only use one of -b and -B.</font></td> </tr> <tr> <td valign="top"><font face="Arial"><strong>-M</strong></font></td> <td><font face="Arial">Do not dump the full message text, only dump the message strings.</font></td> </tr> <tr> <td valign="top"><strong><font face="Arial">-x \\<em>server</em></font></strong></td> <td><font face="Arial">Get messages texts from this server if they are not found at the server where ELDump is running. If -s or -S is used this is also default for -x. If -F is used with an UNC name this server is also default for -x. The use of an -x \\server will only work if you have admin rights at the -x \\<em>server</em>.</font></td> </tr> <tr> <td valign="top"><font face="Arial"><strong>-X</strong></font></td> <td><font face="Arial">Always get message texts from the server specified with -x. That is, do not look for message texts at the local machine.</font></td> </tr> <tr> <td valign="top"><font face="Arial"><strong>-Y</strong></font></td> <td><font face="Arial">Always get message texts from the local machine. That is, ignore the server specified with -x.</font></td> </tr> <tr> <td valign="top"><font face="Arial"><strong>-O format</strong></font></td> <td><table border="0" width="100%" cellpadding="0"> <tr> <td colspan="4"><font face="Arial">Selects the fields to dump. The format should be a string of letters, where:</font></td> </tr> <tr> <td></td> <td><strong><font face="Arial">d</font></strong></td> <td><font face="Arial">Date</font></td> <td></td> </tr> <tr> <td></td> <td><strong><font face="Arial">t</font></strong></td> <td><font face="Arial">Time</font></td> <td></td> </tr> <tr> <td></td> <td><strong><font face="Arial">m or S</font></strong></td> <td><font face="Arial">Source</font></td> <td></td> </tr> <tr> <td></td> <td><strong><font face="Arial">T</font></strong></td> <td><font face="Arial">Type</font></td> <td></td> </tr> <tr> <td></td> <td><strong><font face="Arial">C</font></strong></td> <td><font face="Arial">Category</font></td> <td></td> </tr> <tr> <td></td> <td><strong><font face="Arial">e or I</font></strong></td> <td><font face="Arial">Event ID</font></td> <td></td> </tr> <tr> <td></td> <td><strong><font face="Arial">y</font></strong></td> <td><font face="Arial">Type initial and event ID</font></td> <td></td> </tr> <tr> <td></td> <td><strong><font face="Arial">u</font></strong></td> <td><font face="Arial">Userid</font></td> <td></td> </tr> <tr> <td></td> <td><strong><font face="Arial">o or c</font></strong></td> <td><font face="Arial">Computer name</font></td> <td></td> </tr> <tr> <td></td> <td><strong><font face="Arial">s</font></strong></td> <td><font face="Arial">Message text (or message strings if -M is used)</font></td> </tr> <tr> <td colspan="4"><font face="Arial">Default is dtmTCeuos. The format string consisting of a single <strong>x</strong> equals dtmyus (nice and short).</font></td> </tr> </table> </td> </tr> <tr> <td valign="top"><font face="Arial"><strong>-?</strong></font></td> <td><font face="Arial">Print short help about all options.</font></td> </tr> </table> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr> <td><font color="#008080" size="5" face="Arial"><strong><br> <a name="Examples">Examples</a></strong></font></td> <td align="right" valign="bottom"><font size="2" face="Arial">(<a href="#top">top</a>)</font></td> </tr> </table> <p><font face="Arial">Dump the application log from the current machine to the file el-appl.txt:</font></p> <blockquote> <p><font face="Courier New">eldump >el-appl.txt</font></p> </blockquote> <p><font face="Arial">Dump the system log from server \\serv1:</font></p> <blockquote> <p><font face="Courier New">eldump -s \\serv1 -l system</font></p> </blockquote> <p><font face="Arial">or the same but shorter:</font></p> <blockquote> <p><font face="Courier New">eldump \\serv1 sys</font></p> </blockquote> <p><font face="Arial">Dump error messages about node1 from a single day:</font></p> <blockquote> <p><font face="Courier New">eldump -T error -c node1 -a 19970109000000 -b 1997010000000</font></p> </blockquote> <p><font face="Arial">or the same but shorter:</font></p> <blockquote> <p><font face="Courier New">eldump err -cnode1 -a970109 -b97010</font></p> </blockquote> <p><font face="Arial">Dump messages saved from the system log at \\serv1 in file \\serv1\d$\system.log, with centuries in the event dates and GMT times:</font></p> <blockquote> <p><font face="Courier New">eldump -F \\serv1\d$\system.log -l system -x \\serv1 -K -G</font></p> </blockquote> <p><font face="Arial">or the same but shorter:</font></p> <blockquote> <p><font face="Courier New">eldump \\serv1\d$\system.log sys -KG</font></p> </blockquote> <p><font face="Arial">Dump error messages saved from the system and application logs at the servers  \\serv1 and \\serv2:</font></p> <blockquote> <p><font face="Courier New">eldump -s \\serv1 -s \\serv2 -l system -l application -T error</font></p> </blockquote> <p><font face="Arial">or the same but shorter:</font></p> <blockquote> <p><font face="Courier New">eldump \\serv1 \\serv2 sys app err</font></p> </blockquote> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr> <td><font color="#008080" size="5" face="Arial"><strong><br> <a name="Dump of ELSavClr saved logs">Dump of ELSavClr saved logs</a></strong></font></td> <td align="right" valign="bottom"><font size="2" face="Arial">(<a href="#top">top</a>)</font></td> </tr> </table> <p><font face="Arial">The tool <a href="http://www.ibt.ku.dk/jesper/elsavClr/">ELSavClr</a> can be used to periodically save and then clear the active event logs. The -S option can be used to easily dump and search such saved log. The -S option should be used with the following arguments (if you specify the sel argument you can leave out the -S):</font></p> <blockquote> <p><strong><font face="Arial">-S [<em>sel</em>] [<em>\\server</em>] [<em>dir</em>]</font></strong></p> </blockquote> <table border="0"> <tr> <td colspan="3"><font face="Arial">The sel argument can be one of the following:</font></td> </tr> <tr> <td></td> <td><font face="Arial"><strong>last</strong></font></td> <td><font face="Arial">Dumps only the last saved log.</font></td> </tr> <tr> <td></td> <td><font face="Arial"><strong>all</strong></font></td> <td><font face="Arial">Dumps all the saved logs.</font></td> </tr> <tr> <td></td> <td><font face="Arial"><strong>current</strong></font></td> <td><font face="Arial">Do not dump any of the saved logs, but dump the current active log on the server.</font></td> </tr> <tr> <td></td> <td><font face="Arial"><strong>last+current</strong></font></td> <td><font face="Arial">Dumps the last saved log and then the current log.</font></td> </tr> <tr> <td></td> <td><font face="Arial"><strong>all+current</strong></font></td> <td><font face="Arial">Dumps all the saved logs and then the current log.</font></td> </tr> <tr> <td colspan="3"><font face="Arial">All these names can be abbreviated. Default is <strong>last.</strong></font></td> </tr> </table> <p><font face="Arial">The \\server argument specifies the server where the logs are saved (that is, the server where ELSavClr was run). Default is the server where you are running ELDump.</font></p> <p><font face="Arial">The dir argument specifies the directory where the logs are saved. If a path starting with \\server\share is used that path will be used without change. But if a path starting with a device letter (like d:\dir) is used that path is taken to on a device local to the \\server (in other words d:\dir is translated to \\server\d$\dir)! The dir argument can contain %environmentvars% which will be expanded on the \\server instead of locally! The default for dir is %systemroot%\system32\evtlogs.<br> The net effect of these rather complex rules is that you should specify the dir argument <em>exactly</em> as you did on the ELSavClr command, even if it was on a remote server. If you used the default directory with the ELSavClr command you should also just omit the dir argument to the -S option. <br> This does require that you have administrative rights on the server. If you don not have administrative rights but you do have read rights to the directory where the logs are saved, you should use the \\server\share syntax.</font></p> <p><big><strong><font face="Arial">-S examples</font></strong></big></p> <p><font face="Arial">Dump all saved system logs on the local computer (the logs are saved to %systemroot%\system32\evtlogs):</font></p> <blockquote> <p><font face="Courier New">eldump -S all -l sys</font></p> </blockquote> <p><font face="Arial">Dump all error entries from the last saved and the current system logs on \\server (the logs are saved to c:\logs on the \\server):</font></p> <blockquote> <p><font face="Courier New">eldump -S l+c \\server c:\logs err sys</font></p> </blockquote> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr> <td><font color="#008080" size="5" face="Arial"><strong><br> <a name="Download and installation">Download and installation</a></strong></font></td> <td align="right" valign="bottom"><font size="2" face="Arial">(<a href="#top">top</a>)</font></td> </tr> </table> <p><a href="http://www.ibt.ku.dk/jesper/cgi/download.pl?File=ELDump/ELDump"><font face="Arial">Download the current version of eldump.</font></a></p> <p><font face="Arial">The ELDump tool is distributed as a zip file containing ELDump.exe (the tool) and ELDump.htm (this page). You do not have to install the tool - simply run it from a command line. However if you want to use the <strong>-q</strong> option to get error messages etc. in the event log, then you must register ELDump with:</font></p> <blockquote> <p><font face="Courier New">eldump -R</font></p> </blockquote> <p><font face="Arial">You may also want to look at the other <a href="http://www.ibt.ku.dk/Jesper/NTtools/" target="_top">NT tools</a> by Jesper.</font></p> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr> <td><font color="#008080" size="5" face="Arial"><strong><br> <a name="Version history">Version history</a></strong></font></td> <td align="right" valign="bottom"><font size="2" face="Arial">(<a href="#top">top</a>)</font></td> </tr> </table> <table border="0"> <tr> <td valign="top"><strong><font face="Arial">version</font></strong></td> <td></td> </tr> <tr> <td valign="top"><font face="Arial">0.13</font></td> <td><font face="Arial">Now correctly prints ids larger than 32768.<br> Can now accept dates after year 2000 in -a and -b options.<br> New -S option to read logs saved with ELSavClr. Multiple logs can now be read with multiple -s, -S, -F and -l options. You can get a header for each log in the dump file with the new -L option.<br> Now writes proper event log messages when -q is used, but this requires initial registration with -R. You can unregister with -U.<br> New -K option to get century in dates and new -G option to get event times as GMT instead of as local times.<br> New -O option for greater flexibility in specifying which fields to output.<br> Now allows arguments to be specified with a lot more flexibility.<br> This version can be slightly slower when dumping some logs due to the added features, but it is now often a <em>lot</em> faster when dumping large logs with many Audit entries (typically the security log).</font></td> </tr> <tr> <td valign="top"><font face="Arial">0.12</font></td> <td><font face="Arial">New -u option to filter on userid.<br> Now works on NT 4.0 post-SP3 lsa2 hotfix and later.</font></td> </tr> <tr> <td valign="top"><font face="Arial">0.11</font></td> <td><font face="Arial">Can now handle event entries larger than 32 K Bytes.</font></td> </tr> <tr> <td valign="top"><font face="Arial">0.10</font></td> <td><font face="Arial">Fixed bug in handling national characters.</font></td> </tr> </table> <hr> <p align="right"><font size="2" face="Arial"><em>last changed 20. juli 1999</em></font></p>  </body>