A few months back I made a couple of posts (Part 1, Part 2) regarding Microsoft’s LogParser. Since that time I have been getting my fair share of use from it. Recently, I had the need to analyze the Event Logs on a number of machines. There is the EventLog Snap-In for MMC; however this really doesn’t allow you to do more than basic viewing or broad filtering of events. (One thing I will give it is that it allows for the connection to the event logs on remote machines. Admittedly, I do have a saved console with about 5 or so machines that I browse through the logs of often.) Once again this Free Gem came to my rescue. One of the input sources of LogParser is the EventLog (EVT) Input Format. With LogParser you can select EventLog data (using a SQL like syntax) from a local or remote EventLog and output it to one of LogParser’s output format.

The EVT fields available for selection are EventLog, RecordNumber, TimeGenerated, TimeWritten, EventID, EventType, EventTypeName, EventCategory, EventCategoryName, SourceName, Strings, ComputerName, SID, Message and Data.

With these fields a number of data extractions can be put together rather quickly. Here are a couple of basic ones (The charts are the actual charts created by LogParser):







I have found the LogParser help file quite useful. There are plenty of examples, of which one explains how to do percentages.

I have also created an app using the EventLog Class that allows me to work with logs. This was my maiden voyage with this class and hopefully I’ll post on my experience shortly. I also hope to tighten it up for a more ‘universal use’ and post it for download.

Labels: Apps, Information, Tech