contents:
Arguments
Examples
Dump of ELSavClr saved logs
Download and installation
Version history
ELDump

ELDump is a tool to dump the contents of a NT event log as text.

It is very much like the tool DumpEL from the NT Resource Kit, but ELDump is more versatile and sometimes quite a lot faster. Most important ELDump can:

ELDump is written by Jesper Lauritsen. The executable is in the public domain. Source code is not available.


Arguments
(top)

ELDump takes the following options and arguments:

-f file The file where the dump text is written. Default is to write to stdout. Don't use -f, use standard NT redirection with > or >> instead!
-s \\server Server for which to dump the event log. Default is the current machine, unless -F or -S is specified. You can leave out the -s in front of the server name if you want to. You can specify as many servers as you like.
-F saved-log Name of a file with a saved event log which is dumped. You can leave out the -F in front of the file name if you want to. You can specify as many file names as you like.
-S ... See below for description of the -S option.
-l log Name of log to dump. Must be one of system, application or security. If -F is used and the file name starts with s, a or u this chooses a default log, otherwise the default is application. You can shorten the log names as much as you like and you can leave out the -l in front of the log name if you want to. You can specify one, two or three log names to dump one, two or three logs.
-t Separate the output fields with tabs. Default is space, unless -c is specified.
-c c Separate the output fields with the character c. If -c is specified -t must not also be specified.
-q Write errors and warnings to the application event log. Default is to write errors to stderr. This options is mostly useful when ELDump is run in the background, like for example from the scheduler. This requires registration with -R.
-K Dump log entries with centuries in the entry date.
-G Dump log entries with GMT times instead of local times.
-L Write to the output dump file which event logs are being dumped. This is useful if you dump more than one log with one invocation of the ELDump command.
-m source Only dump messages with this source.
-e n1 n2 ... Only dump messages with these ids.
-r Reverse the meaning of -e. That is, only dump messages that do not have the ids specified with -e.
-C category Only dump messages with this category.
-T t1 t2 ... Only dump messages with these types. You can specify one or more of Error, Warning, Information, AuditSuccess, AuditFailure. You can shorten the names as much as you like and you can leave out the -T in front of the names if you want to.
-Q Keep quiet about message texts not found, etc.
-o computer Only dump messages about this computer.
-u userid Only dump messages about this userid. The userid can be a simple userid or at the form domain\userid.
-a time Only dump messages after or at the time specified as yyyymmddhhmmss. You can leave out the century and seconds, minutes, hours and day number. You can only use one of -a and -A.
-A hours Only dump messages from after the specified number of hours ago. You can only use one of -a and -A.
-b time Only dump messages before the time specified as yyyymmddhhmmss. You can leave out the century and seconds, minutes, hours and day number. You can only use one of -b and -B.
-B hours Only dump messages from before the specified number of hours ago. You can only use one of -b and -B.
-M Do not dump the full message text, only dump the message strings.
-x \\server Get messages texts from this server if they are not found at the server where ELDump is running. If -s or -S is used this is also default for -x. If -F is used with an UNC name this server is also default for -x. The use of an -x \\server will only work if you have admin rights at the -x \\server.
-X Always get message texts from the server specified with -x. That is, do not look for message texts at the local machine.
-Y Always get message texts from the local machine. That is, ignore the server specified with -x.
-O format
Selects the fields to dump. The format should be a string of letters, where:
d Date
t Time
m or S Source
T Type
C Category
e or I Event ID
y Type initial and event ID
u Userid
o or c Computer name
s Message text (or message strings if -M is used)
Default is dtmTCeuos. The format string consisting of a single x equals dtmyus (nice and short).
-? Print short help about all options.

Examples
(top)

Dump the application log from the current machine to the file el-appl.txt:

eldump >el-appl.txt

Dump the system log from server \\serv1:

eldump -s \\serv1 -l system

or the same but shorter:

eldump \\serv1 sys

Dump error messages about node1 from a single day:

eldump -T error -c node1 -a 19970109000000 -b 1997010000000

or the same but shorter:

eldump err -cnode1 -a970109 -b97010

Dump messages saved from the system log at \\serv1 in file \\serv1\d$\system.log, with centuries in the event dates and GMT times:

eldump -F \\serv1\d$\system.log -l system -x \\serv1 -K -G

or the same but shorter:

eldump \\serv1\d$\system.log sys -KG

Dump error messages saved from the system and application logs at the servers  \\serv1 and \\serv2:

eldump -s \\serv1 -s \\serv2 -l system -l application -T error

or the same but shorter:

eldump \\serv1 \\serv2 sys app err


Dump of ELSavClr saved logs
(top)

The tool ELSavClr can be used to periodically save and then clear the active event logs. The -S option can be used to easily dump and search such saved log. The -S option should be used with the following arguments (if you specify the sel argument you can leave out the -S):

-S [sel] [\\server] [dir]

The sel argument can be one of the following:
last Dumps only the last saved log.
all Dumps all the saved logs.
current Do not dump any of the saved logs, but dump the current active log on the server.
last+current Dumps the last saved log and then the current log.
all+current Dumps all the saved logs and then the current log.
All these names can be abbreviated. Default is last.

The \\server argument specifies the server where the logs are saved (that is, the server where ELSavClr was run). Default is the server where you are running ELDump.

The dir argument specifies the directory where the logs are saved. If a path starting with \\server\share is used that path will be used without change. But if a path starting with a device letter (like d:\dir) is used that path is taken to on a device local to the \\server (in other words d:\dir is translated to \\server\d$\dir)! The dir argument can contain %environmentvars% which will be expanded on the \\server instead of locally! The default for dir is %systemroot%\system32\evtlogs.
The net effect of these rather complex rules is that you should specify the dir argument exactly as you did on the ELSavClr command, even if it was on a remote server. If you used the default directory with the ELSavClr command you should also just omit the dir argument to the -S option.
This does require that you have administrative rights on the server. If you don not have administrative rights but you do have read rights to the directory where the logs are saved, you should use the \\server\share syntax.

-S examples

Dump all saved system logs on the local computer (the logs are saved to %systemroot%\system32\evtlogs):

eldump -S all -l sys

Dump all error entries from the last saved and the current system logs on \\server (the logs are saved to c:\logs on the \\server):

eldump -S l+c \\server c:\logs err sys


Download and installation
(top)

Download the current version of eldump.

The ELDump tool is distributed as a zip file containing ELDump.exe (the tool) and ELDump.htm (this page). You do not have to install the tool - simply run it from a command line. However if you want to use the -q option to get error messages etc. in the event log, then you must register ELDump with:

eldump -R

You may also want to look at the other NT tools by Jesper.


Version history
(top)
version
0.13 Now correctly prints ids larger than 32768.
Can now accept dates after year 2000 in -a and -b options.
New -S option to read logs saved with ELSavClr. Multiple logs can now be read with multiple -s, -S, -F and -l options. You can get a header for each log in the dump file with the new -L option.
Now writes proper event log messages when -q is used, but this requires initial registration with -R. You can unregister with -U.
New -K option to get century in dates and new -G option to get event times as GMT instead of as local times.
New -O option for greater flexibility in specifying which fields to output.
Now allows arguments to be specified with a lot more flexibility.
This version can be slightly slower when dumping some logs due to the added features, but it is now often a lot faster when dumping large logs with many Audit entries (typically the security log).
0.12 New -u option to filter on userid.
Now works on NT 4.0 post-SP3 lsa2 hotfix and later.
0.11 Can now handle event entries larger than 32 K Bytes.
0.10 Fixed bug in handling national characters.

last changed 20. juli 1999