contents:
Arguments
Examples
Download and installation
Version history
ELSavClr

ELSavClr is a tool to periodically save and then clear NT Event Logs. You should execute ELSavClr once each night with the NT scheduler. It will then periodically save the logs to a directory and then clear the logs. You can use the NT Event Viewer, ELDump or other event log tools to later read the saved logs. Version 0.13 or later of ELDump is specially useful because it knows how to read all saved logs in combination with the current active log.

ELSavClr is written by Jesper Lauritsen. The executable is in the public domain. Source code is not available.


Arguments
(top)

ELSavClr takes the following arguments:

-l log... Save and clear the specified logs. The log names are system, application and security. If you do not use the -l option all tree logs are saved and cleared. You can shorten the log names as much as you like and you can leave out the -l in front of the log names if you want to.
-d dir Absolute path to directory where the event logs will be saved. The path may contain %environmentvars%. Default is %systemroot%\system32\evtlogs. The directory must exists. You can leave out the -d in front of the directory name if you want.
-p period Save and clear event logs after each period (day, week or month). This is independent of when and how often ELSavClr is run, usually you should run ELSavClr at least once a day. Default is week. You can shorten the period names as much as you like and you can leave out the -p in front of the log names if you want to.
-c delafter Delete saved event logs older than delafter periods. Default is not to delete saved event logs.
-q Write errors to the event log. This requires registration with -R. You should normally always use the -q option when you execute ElSavClr with the NT Scheduler (the at command).
-K When -K is used the saved event logs will get names of the form lllyyyymmdd.EVT, where lll is system, application or security, and yyyymmdd is the date the event log is saved. -K must not be used when saving to a FAT file system. If -K is not used the saved event logs will get names of the form lyymmdd.EVT, where l is S, A or U for System, Application or Security.
Unless you want to save your logs to a FAT partition you should probably always use the -K option!
-e "cmd" If a log is saved the argument to -e is executed as a command. The command and its arguments must be enclosed in double quotes. Any %environmentvars% in the command are expanded before the command is executed. Before the expantion the environment variable %logname% is set to the name of the log that are saved and %logfile% is set to the name of the file it is saved to. If no logs are saved the command is not executed.
-R Registers ELSavClr with NT for event log messages. You must reregister if you move elsavclr.exe to a different directory. Registration is only necessary if you want to use the -q option.
-U Unregisters ELSavClr with NT.
-? Prints a short help text.

Examples
(top)

If you execute the following each night (with the Scheduler) it will save all logs each weekend into the system32\evtlogs directory (this directory must exists):

elsavclr

If you execute the following each night (with the Scheduler) it will save the security logs each night into the system32\seqlogs directory (this directory must exists):

elsavclr -q -l security -d %systemroot%\system32\seqlogs -p day

or the same but shorter:

elsavclr -q sec %systemroot%\system32\seqlogs day

Execute the following each night (with the Scheduler) to save all logs each weekend into the system32\evtlogs directory (this directory must exists), and to append a dump of all error entries to the err.txt file:

elsavclr -e "eldump -F %filename% -l %logname% -T error >>%systemroot%\err.txt"


Download and installation
(top)

Download current version of elsavclr.

The ELSavClr tool is distributed as a zip file containing ELSavClr.exe (the tool) and ELSavClr.htm (this page). You do not have to install the tool - simply run it from a command line. However if you want to use the -q option to get error messages etc. in the event log, then you must register ELSavClr with:

elsavclr -R

You may also want to look at the other NT tools by Jesper.


Version history
(top)
version
0.3 Now writes proper event log messages when -q is used, but this requires initial registration with -R. You can unregister with -U.
New -K options gives longer and more readable file names but requires that -d points to a directory on a non-FAT partition. Unless you want to save your logs to a FAT partition you should probably begin using the -K option!
Now works after year 2000! Note that it works even when the -K option is not used. When short dates on the form YYMMDD are used ELSavClr will use roll over so that YY values less than 88 will be interpreted as 20YY and YY values greater than or equal 88 will be interpreted as 19YY.
New -l option replaces the old -s, -a and -u option (but the old options still works).
New -e option to execute a command when a log is saved and cleared.
0.2 Now works on NT 4.0 post-SP3 lsa2 hotfix and on NT 4.0 SP4 and later.

last changed 19990720