ELSavClr

<body> <p> </p>  <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr> <td></td> <td align="right"><div align="right"><table border="2" cellpadding="3" cellspacing="0" bordercolor="#008080" bordercolordark="#008080" bordercolorlight="#008080"> <tr> <td align="right"><font color="#008080" size="1" face="Arial">contents:</font><font size="1" face="Arial"><br> <a href="ELSavClr.htm#Arguments">Arguments</a><br> <a href="ELSavClr.htm#Examples">Examples</a><br> <a href="ELSavClr.htm#Download and installation">Download and installation</a><br> <a href="#Version history">Version history</a></font></td> </tr> </table> </div></td> </tr> <tr> <td valign="bottom"><a name="ELSavClr"><font color="#008080" size="5" face="Arial"><strong>ELSavClr</strong></font></a></td> <td align="right" valign="bottom"></td> </tr> </table> <p><font face="Arial">ELSavClr is a tool to periodically save and then clear NT Event Logs. You should execute ELSavClr once each night with the NT scheduler. It will then periodically save the logs to a directory and then clear the logs. You can use the NT Event Viewer, <a href="../ELDump/default.htm">ELDump</a> or other event log tools to later read the saved logs. Version 0.13 or later of <a href="../ELDump/default.htm">ELDump</a> is specially useful because it knows how to read all saved logs in combination with the current active log.</font></p> <p><font face="Arial">ELSavClr is written by <a href="http://www.ibt.ku.dk/jesper" target="_top">Jesper Lauritsen</a>. The executable is in the public domain. Source code is not available.</font></p> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr> <td><font color="#008080" size="5" face="Arial"><strong><br> <a name="Arguments">Arguments</a></strong></font></td> <td align="right" valign="bottom"><font size="2" face="Arial">(<a href="ELSavClr.htm#top">top</a>)</font></td> </tr> </table> <p><font face="Arial"><strong>ELSavClr</strong> takes the following arguments:</font></p> <table border="0" width="100%"> <tr> <td valign="top" width="20%"><strong><font face="Arial">-l <em>log</em>... </font></strong></td> <td><font face="Arial">Save and clear the specified logs. The log names are <strong>system</strong>, <strong>application</strong> and <strong>security</strong>. If you do not use the -l option all tree logs are saved and cleared. You can shorten the log names as much as you like and you can leave out the -l in front of the log names if you want to.</font></td> </tr> <tr> <td valign="top" width="20%"><font face="Arial"><strong>-d <em>dir</em></strong></font></td> <td><font face="Arial">Absolute path to directory where the event logs will be saved. The path may contain %environmentvars%. Default is %systemroot%\system32\evtlogs. The directory must exists. You can leave out the -d in front of the directory name if you want.</font></td> </tr> <tr> <td valign="top"><font face="Arial"><strong>-p <em>period</em></strong></font></td> <td><font face="Arial">Save and clear event logs after each period (<strong>day</strong>, <strong>week</strong> or <strong>month</strong>). This is independent of when and how often ELSavClr is run, usually you should run ELSavClr at least once a day. Default is week. You can shorten the period names as much as you like and you can leave out the -p in front of the log names if you want to.</font></td> </tr> <tr> <td valign="top"><font face="Arial"><strong>-c <em>delafter</em></strong></font></td> <td><font face="Arial">Delete saved event logs older than delafter periods. Default is not to delete saved event logs.</font></td> </tr> <tr> <td valign="top"><font face="Arial"><strong>-q</strong></font></td> <td><font face="Arial">Write errors to the event log. This requires registration with -R. You should normally always use the -q option when you execute ElSavClr with the NT Scheduler (the at command).</font></td> </tr> <tr> <td valign="top"><font face="Arial"><strong>-K</strong></font></td> <td><font face="Arial">When -K is used the saved event logs will get names of the form<strong> lllyyyymmdd.EVT</strong>, where <strong>lll</strong> is <strong>system</strong>, <strong>application</strong> or <strong>security</strong>, and <strong>yyyymmdd</strong> is the date the event log is saved. <strong>-K</strong> must not be used when saving to a FAT file system. If -K is not used the saved event logs will get names of the form <strong>lyymmdd.EVT</strong>, where <strong>l</strong> is <strong>S</strong>, <strong>A</strong> or <strong>U</strong> for System, Application or Security.<br> Unless you want to save your logs to a FAT partition you should probably always use the -K option!</font></td> </tr> <tr> <td valign="top"><font face="Arial"><strong>-e "<em>cmd</em>"</strong></font></td> <td><font face="Arial">If a log is saved the argument to -e is executed as a command. The command and its arguments must be enclosed in double quotes. Any %environmentvars% in the command are expanded before the command is executed. Before the expantion the environment variable %logname% is set to the name of the log that are saved and %logfile% is set to the name of the file it is saved to. If no logs are saved the command is not executed.</font></td> </tr> <tr> <td valign="top"><font face="Arial"><strong>-R</strong></font></td> <td><font face="Arial">Registers ELSavClr with NT for event log messages. You must reregister if you move elsavclr.exe to a different directory. Registration is only necessary if you want to use the -q option.</font></td> </tr> <tr> <td valign="top"><font face="Arial"><strong>-U</strong></font></td> <td><font face="Arial">Unregisters ELSavClr with NT.</font></td> </tr> <tr> <td valign="top"><font face="Arial"><strong>-?</strong></font></td> <td><font face="Arial">Prints a short help text.</font></td> </tr> </table> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr> <td><font color="#008080" size="5" face="Arial"><strong><br> <a name="Examples">Examples</a></strong></font></td> <td align="right" valign="bottom"><font size="2" face="Arial">(<a href="ELSavClr.htm#top">top</a>)</font></td> </tr> </table> <p><font face="Arial">If you execute the following each night (with the Scheduler) it will save all logs each weekend into the system32\evtlogs directory (this directory must exists):</font></p> <blockquote> <p><font face="Courier New">elsavclr</font></p> </blockquote> <p><font face="Arial">If you execute the following each night (with the Scheduler) it will save the security logs each night into the system32\seqlogs directory (this directory must exists):</font></p> <blockquote> <p><font face="Courier New">elsavclr -q -l security -d %systemroot%\system32\seqlogs -p day</font></p> </blockquote> <p><font face="Arial">or the same but shorter:</font></p> <blockquote> <p><font face="Courier New">elsavclr -q sec %systemroot%\system32\seqlogs day</font></p> </blockquote> <p><font face="Arial">Execute the following each night (with the Scheduler) to save all logs each weekend into the system32\evtlogs directory (this directory must exists), and to append a dump of all error entries to the err.txt file:</font></p> <blockquote> <p><font face="Courier New">elsavclr -e "eldump -F %filename% -l %logname% -T error >>%systemroot%\err.txt"</font></p> </blockquote> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr> <td><font color="#008080" size="5" face="Arial"><strong><br> <a name="Download and installation">Download and installation</a></strong></font></td> <td align="right" valign="bottom"><font size="2" face="Arial">(<a href="ELSavClr.htm#top">top</a>)</font></td> </tr> </table> <p><a href="http://www.ibt.ku.dk/jesper/cgi/download.pl?File=ELSavClr/ELSavClr"><font face="Arial">Download current version of elsavclr.</font></a></p> <p><font face="Arial">The ELSavClr tool is distributed as a zip file containing ELSavClr.exe (the tool) and ELSavClr.htm (this page). You do not have to install the tool - simply run it from a command line. However if you want to use the <strong>-</strong>q option to get error messages etc. in the event log, then you must register ELSavClr with:</font></p> <blockquote> <p><font face="Courier New">elsavclr -R</font></p> </blockquote> <p><font face="Arial">You may also want to look at the other <a href="http://www.ibt.ku.dk/jesper/NTtools/" target="_top">NT tools</a> by Jesper.</font></p> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr> <td><font color="#008080" size="5" face="Arial"><strong><br> <a name="Version history">Version history</a></strong></font></td> <td align="right" valign="bottom"><font size="2" face="Arial">(<a href="ELSavClr.htm#top">top</a>)</font></td> </tr> </table> <table border="0"> <tr> <td valign="top"><strong><font face="Arial">version</font></strong></td> <td></td> </tr> <tr> <td valign="top"><font face="Arial">0.3</font></td> <td><font face="Arial">Now writes proper event log messages when -q is used, but this requires initial registration with -R. You can unregister with -U.<br> New -K options gives longer and more readable file names but requires that -d points to a directory on a non-FAT partition. Unless you want to save your logs to a FAT partition you should probably begin using the -K option!<br> Now works after year 2000! Note that it works even when the -K option is not used. When short dates on the form YYMMDD are used ELSavClr will use roll over so that YY values less than 88 will be interpreted as 20YY and YY values greater than or equal 88 will be interpreted as 19YY.<br> New -l option replaces the old -s, -a and -u option (but the old options still works).<br> New -e option to execute a command when a log is saved and cleared.</font></td> </tr> <tr> <td valign="top"><font face="Arial">0.2</font></td> <td><font face="Arial">Now works on NT 4.0 post-SP3 lsa2 hotfix and on NT 4.0 SP4 and later.</font></td> </tr> </table> <hr> <p align="right"><font size="2" face="Arial"><em>last changed 19990720</em></font></p>  </body>