Deleting Events from the .EVT file - KiXtart.org

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Basic Scripting » Deleting Events from the .EVT file

Page 1 of 3

Topic Options

#166802 - 2006-09-04 02:40 PM Deleting Events from the .EVT file
AstaaLavista AstaaLavista Starting to like KiXtart Registered: 2005-08-11 Posts: 111 Loc: Gujarat, India.	Hi, I m back with a query . From KiXtart, is it possible to delete an event from the event file(.evt)? If yes, please let me know how?
Top

#166803 - 2006-09-04 02:59 PM

Re: Deleting Events from the .EVT file

Björn

Korg Regular

Registered: 2005-12-07
Posts: 953
Loc: Stockholm, Sweden.

is it this you're looking for?
Code:


ClearEventLog( )
Action: 	Clears up a Windows NT eventlog.
 
Syntax: 	CLEAREVENTLOG ("eventlog")
 
Parameter: 	Eventlog

    String indicating the eventlog to clear. By default, Windows NT supports three eventlogs:
 "Application", "Security" and "System". Optionally, the string can include the name of a remote system 
on which to clear the log.

Returns: 	
0 		Eventlog cleared
>0 		Errorcode
 
See Also: 	BackupEventLog( ), LogEvent( )
 
Examples: 	

$rc=ClearEventLog("Application")
$rc=ClearEventLog("\\PDC\Application")
$rc=ClearEventLog("System")

Edited by Björn (2006-09-04 03:00 PM)

Top

#166804 - 2006-09-04 03:27 PM Re: Deleting Events from the .EVT file
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Quote: is it possible to delete an event He's talking about a single event, not the entire log.
Top

#166805 - 2006-09-04 03:28 PM Re: Deleting Events from the .EVT file
AstaaLavista AstaaLavista Starting to like KiXtart Registered: 2005-08-11 Posts: 111 Loc: Gujarat, India.	This deletes the entire event log which I dont want i actually want to delete only some specific Event IDs.
Top

#166806 - 2006-09-04 03:33 PM Re: Deleting Events from the .EVT file
Björn Björn Korg Regular Registered: 2005-12-07 Posts: 953 Loc: Stockholm, Sweden.	Oh sorry. missed that.
Top

#166807 - 2006-09-04 05:17 PM Re: Deleting Events from the .EVT file
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11164 Loc: Boston, MA, USA	Not that I am aware of. And that is a good thing. You don't want users to be able to delete selective events, there would be way too much room for malicious intent. What's the purpose of deleting those single events? _________________________ There are two types of vessels, submarines and targets.
Top

#166808 - 2006-09-04 05:37 PM Re: Deleting Events from the .EVT file
AstaaLavista AstaaLavista Starting to like KiXtart Registered: 2005-08-11 Posts: 111 Loc: Gujarat, India.	I m currently entrusted with the responsibility of checking SECURITY event log for any malicious activity. For e.g. Event ID 560 comes under the Failure Security log, but it is an utter useless thing. The EVT file for one day has a size of around 500 MB. Imagine my plight; so i want to automate this process.
Top

#166809 - 2006-09-04 06:04 PM Re: Deleting Events from the .EVT file
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11164 Loc: Boston, MA, USA	Then why do you not see Event IDs 560 and 562 appear many times in the security event log whether this MSKB article provides some relief: _________________________ There are two types of vessels, submarines and targets.
Top

#166810 - 2006-09-04 06:12 PM Re: Deleting Events from the .EVT file
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Use eventcomb to gather only the info you want.
Top

#166811 - 2006-09-04 07:07 PM Re: Deleting Events from the .EVT file
AstaaLavista AstaaLavista Starting to like KiXtart Registered: 2005-08-11 Posts: 111 Loc: Gujarat, India.	I wish life wud have been so easy. Just as moderator of one forum is not allowed to modify the other forum, i m not allowed to access the Domain Controller. I can get only the EVT file. I guess i will have to convert it into excel or csv (every new file after 16000 rows) to solve this problem. Thanks Les for ur help; but EventComb wont read an EVT file.
Top

#166812 - 2006-09-04 10:26 PM Re: Deleting Events from the .EVT file
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	If you say so but I use it to scour all my DCs event logs and AFAIK they are secevent.evt files.
Top

#166813 - 2006-09-04 11:19 PM Re: Deleting Events from the .EVT file
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11624 Loc: CA	Account Lockout and Management Tools http://www.microsoft.com/downloads/detai...;displaylang=en Includes EventCombMT.exe Gathers specific events from event logs of several different machines to one central location.
Top

#166814 - 2006-09-05 12:42 AM Re: Deleting Events from the .EVT file
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	Quote: .... I can get only the EVT file. I guess i will have to convert it into excel or csv (every new file after 16000 rows) to solve this problem. .... Maybe you can convince the person exporting the event log to a file to export it to csv (tab or comma delimited). The event logs can easily be exported like this because it is a build in option when saving the event log to a file. Maybe this helps. Did not try it but it looks like a command line app to read .evt files. read, write, backup, enumerate, count, clear, and display an event log _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#166815 - 2006-09-06 05:41 PM Re: Deleting Events from the .EVT file
AstaaLavista AstaaLavista Starting to like KiXtart Registered: 2005-08-11 Posts: 111 Loc: Gujarat, India.	Quote: Maybe you can convince the person exporting the event log to a file to export it to csv (tab or comma delimited). The event logs can easily be exported like this because it is a build in option when saving the event log to a file. Converting to a CSV file is not an issue. Actually the person was providing me with the CSV file; but the CSV file didnt contain the entire data. My EVT file contains more 10 million rows which is not possible to save as a CSV file. I tried to use the FILTER facility available with the event viewer, but it does not provide the NOT facility; i.e. I cant check what are the other events apart from event ID 560. I have also checked the link, it is the same one mentioned earlier.
Top

#166816 - 2006-09-06 06:02 PM Re: Deleting Events from the .EVT file
Witto Witto MM club member Registered: 2004-09-29 Posts: 1828 Loc: Belgium	If you open the CSV with Excel, you can choose NOT to display event ID 560 (first rename the CSV-file to something with TXT extension and do a "File --> Open" so you can choose the column separator)
Top

#166817 - 2006-09-06 06:06 PM Re: Deleting Events from the .EVT file
AstaaLavista AstaaLavista Starting to like KiXtart Registered: 2005-08-11 Posts: 111 Loc: Gujarat, India.	Friend, the problem is CSV can't hold 10 million rows. Column containing event ID 560 will ALSO contain other IDs as well...
Top

#166818 - 2006-09-06 06:27 PM Re: Deleting Events from the .EVT file
Witto Witto MM club member Registered: 2004-09-29 Posts: 1828 Loc: Belgium	Reading the file line per line and writing a new file would also be no option? I would think you could split a line and find the event on the same place in the array. If it is not 560, write the line to a new file. Just a thought.
Top

#166819 - 2006-09-06 07:15 PM Re: Deleting Events from the .EVT file
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Maybe you can convince the person exporting the event log to a file to export it more frequently before it becomes too large to import to Excel. Still, it might be best to fix the root cause of all those entries so they don't fill the log in the first place.
Top

#166820 - 2006-09-06 07:22 PM Re: Deleting Events from the .EVT file
AstaaLavista AstaaLavista Starting to like KiXtart Registered: 2005-08-11 Posts: 111 Loc: Gujarat, India.	Today is my bad day Tried copying the contents to another file... but i m getting a weird error: "Error (317 / 13D) while retrieving error information for FFFFFFFC". The sole link in google help points to some disussion in which Joel is involved.
Top

#166821 - 2006-09-06 07:42 PM

Re: Deleting Events from the .EVT file

AstaaLavista Offline

Starting to like KiXtart

Registered: 2005-08-11
Posts: 111
Loc: Gujarat, India.

Following is the code: (File1.txt exists !)
Code:


BREAK ON
DEBUG ON

$InputFile = "file1.txt"
$OutputFile = "file2.txt"
$counter = 0

$Handle1 = FreeFileHandle()
$Handle2 = FreeFileHandle()

If Open($Handle2, $OutputFile,5) = 0	
	? "Counter value: " + $counter
Else
	beep
Endif

If Open($Handle1, $InputFile,2) = 0
  $x = ReadLine($Handle1)
  While @ERROR = 0
    $counter = $counter + 1	
    ? "Line read: [" + $x + "]"
    $y = INSTR($x, "1102")
    If ($y!=0)
    	$z = WriteLine($Handle2,$x)
    EndIf
    $x = ReadLine($Handle1)
  Loop
  ? $counter
  ? @SERROR
  $rc=Close ($Handle1)
Else
  ? @SERROR
  Beep
EndIf

$rc=Close($Handle2)

Top

Page 1 of 3

Previous Topic View All Topics

Index Next Topic

Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart

Hop to:

Shout Box

Search the board with:
superb Board Search
or try with google:

	Web kixtart.org