Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

grokevt-builddb(1) [debian man page]

grokevt-builddb(1)														grokevt-builddb(1)

NAME

       grokevt-builddb - Builds a database tree based on a single windows system for the purpose of event log conversion.

SYNOPSIS

       grokevt-builddb	[  -c  CSID ] config-profile output-dir .SH DESCRIPTION grokevt-builddb uses grokevt-ripdll(1) and reglookup(1) along with
       information found in configuration files to extract all necessary information from a windows installation for the conversion of	event  log
       files. The registry is read to determine the locations of critical DLLs and the event log files themselves. This, and other information out
       of the registry is stored in a directory structure which acts as a kind of flat-file database. This database can then be used  by  grokevt-
       parselog(1) to generate human-readable output.

       The key to successfully running this utility is proper configuration. Please see grokevt(7) for information on what needs to be configured.

ARGUMENTS

       config-profile
	      This  is	the  name  of  the  configuration profiles stored in the global configuration directory under the directory 'systems'. See
	      grokevt(7) for more details on how to properly configure a system profile.

       output-dir
	      The path to the location of the output database.	If anything already exists in this directory, it may be overwritten or deleted.

OPTIONS

       -c CSID
	      This option allows one to explicitly set which ControlSet in the registry is used to extract event log message mappings.	If  speci-
	      fied,  this  item must be a positive decimal integer.  If unspecified, grokevt-builddb will attempt to determine the best ControlSet
	      by looking at the most recent CurrentControlSet, stored in the system registry under the path '/Select/Current'.	Most users  should
	      ignore this option unless there is a specific reason why the last CurrentControlSet should not be used.

EXAMPLES

       To generate a database at '~/win2k.grokevt' based on the system configuration profile 'win2k':

	     grokevt-builddb win2k ~/win2k.grokevt

       To repeat the last command, instead using registry information explicitly from /ControlSet002:

	     grokevt-builddb -c 2 win2k ~/win2k.grokevt

BUGS

       Probably a few. This script has not been extensively tested with some guest platforms.

       The databases built with this script may not be portable to other systems, depending on the database drivers installed and used in Python.

CREDITS

       Written by Timothy D. Morgan.

       Copyright (C) 2005-2007 Timothy D. Morgan

LICENSE

       Please see the file "LICENSE" included with this software distribution.

       This  program  is  distributed  in  the	hope  that  it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MER-
       CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License version 2 for more details.

SEE ALSO

       grokevt(7) grokevt-addlog(1) grokevt-dumpmsgs(1) grokevt-findlogs(1) grokevt-parselog(1) grokevt-ripdll(1) reglookup(1)

File Conversion Utilities					   20 March 2008						grokevt-builddb(1)

Check Out this Related Man Page

grokevt-parselog(1)													       grokevt-parselog(1)

NAME

       grokevt-parselog - Parse a windows event log and generate human-readable output based on message resources stored in a database.

SYNOPSIS

       grokevt-parselog  -?|--help  .PP  grokevt-parselog  -l database-dir .PP grokevt-parselog -m database-dir log-type .PP grokevt-parselog [-v]
       [-H] [-h] [-U] [-u] database-dir log-type .SH DESCRIPTION grokevt-parselog reads a windows event log (.evt file) and combines that informa-
       tion  with  messages  templates and other resources stored in a pre-generated database. This is then printed to stdout in a comma-separated
       values (CSV) format.  The database must be created by grokevt-builddb(1).

ARGUMENTS

       database-dir
	      This is the directory where the database is stored. Currently, the actual log files from the original system are also stored in this
	      directory tree.

       log-type
	      This is the windows name for the log. By default windows has the following logs:

			   Application
			   Security
			   System

	      But  others  may	have  been created by third party software. Use the -l option to print a list of all available log types. (The log
	      names are case-sensitive.)

OPTIONS

       -?     Prints a basic usage statement.

       --help Same as -?.

       -l     Log list mode. Lists the logs available in the specified database.

       -m     Meta information mode. Lists meta information stored in the header of the specified log file. Does not print any actual log records.
	      (Format of output in this mode is still subject to change.)

       -v     Verbose mode. Prints status messages to stderr, which can be helpful for debugging.

       -h     Prints a header row at the top of the CSV output containing labels for each column. (This is the default behavior.)

       -H     Disables the printing of a header row. This is useful when grokevt-parselog is used in a script.

       -u     Enables the UTF-8 output of some strings. This can be dangerous on terminals that are not configured to support UTF-8.

       -U     Disables	the use of UTF-8 for output.  Unicode strings are instead converted to UTF-8 first, and then any remaining non-ASCII char-
	      acters are quoted. (This is the default behavior.)

EXAMPLES

       To list all available logs types stored in '~/example.grokevt':

	      grokevt-parselog -l ~/example.grokevt

       To read the 'Application' log from the database stored in '~/example.grokevt' and print it to stdout:

	      grokevt-parselog ~/example.grokevt Application

       To read the 'System' log from the database stored in '~/example.grokevt' and print it to stdout without a header, and with verbosity turned
       on:

	      grokevt-parselog -v -H ~/example.grokevt System

BUGS

       Probably a few. This script has not been extensively tested with some guest platforms.

       The  file  event log file format is pretty well understood and implemented, but some diabolical wrapped, dirty, or fragmentary logs may not
       be correctly parsed.

       Unicode support is currently limited. Any suggestions on how to better handle unicode output would be appreciated.

CREDITS

       Originally written by Jamie French.  Converted to Python and extended by Timothy D. Morgan.  Andreas Schuster has  contributed  greatly	to
       the understanding of the event log format.

       Copyright (C) 2005-2007 Timothy D. Morgan

       Copyright (C) 2004 Jamie French

LICENSE

       Please see the file "LICENSE" included with this software distribution.

       This  program  is  distributed  in  the	hope  that  it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MER-
       CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License version 2 for more details.

SEE ALSO

       grokevt(7) grokevt-addlog(1) grokevt-builddb(1) grokevt-dumpmsgs(1) grokevt-findlogs(1) grokevt-ripdll(1)

File Conversion Utilities					   20 March 2008					       grokevt-parselog(1)
Man Page