Archiving Windows NT Event Logs

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

You have the option of archiving Windows NT event logs in their native format (.evt), text format or comma-delimited format. Which is best? There is no simple answer. It really depends on why you are archiving these logs.

.evt format has the advantage that all possible data including binary data is preserved. One disadvantage is that the data can only be viewed one log file at a time and only by the event viewer. If old .evt logs are viewed at a later date, it is possible that the descriptions displayed will not match what would have been seen if the .evt log had been viewed at the point in time where the .evt file was archived. Descriptions are stored in .dll files of the operating system, not in the .evt data. Depending on when the archives are viewed, the "true-to-at-point-of-archiving" is questionable. If you backup the server and the event logs and use the restored server to view the restored event logs, the accuracy of what you are viewing is guaranteed. Keep lots of tapes. Verify that you can restore the server archived. This will satisfy the most rigourous legal and forensics requirements IF the chain of control is maintained. If the tapes are dumped and stored under lose control, forget it.

Q165959 - Reading a File Saved with the Event Viewer of Another Computer
Q157399 - Inconsistent Descriptions When Using Event Viewer

Text and comma-delimited formats discard binary data which may be inappropriate for forensic or legal requirements. Comma-delimited data can be easily moved to databases such as SQL for centralized processing. It is possible to manually or programmatically to process such centralized data for patterns of activity (intrusions) that are difficult or impossible in isolation. More and more commercial products use this approach. Text format has the advantage of simplicity. It can also be a starting point for processing using mature unix-oriented data manipulation utilities. A mixed situation is the use of tools like dumpel.exe which can dump event log file data. It dumps the text data and translates the much of the hex data to readable text formats.

My final point is that this is not an either-or situation. Save your checkpoint full backups and use extracted text or comma-delimited copies for programmatic processing. From a pure security perspective, extracting event logs to sql databases for security analysis is a best practice.

Check out these commercial products which support centralizing event log data to sql databases:
Aelita's EventAdmin

Event Log Tips:

Archiving Event Logs
Event Log explained
How to Delete Corrupt Event Viewer Log Files
Forensics: CrashOnAuditFail
Restrict access to Application and System event logs
Security Event Descriptions
Security Events Logon Type Definitions
Security Log Location
Suppress Browser Event Log Messages
Suppress Prevent logging of print jobs
System events in NT4 SP4
User Authentication with Windows NT
User Rights, Definition and List

Frank Heyne has made available a Windows NT Eventlog FAQ .

See Also

Featured Links