This week, a pointer to a solution to a problem I occasionally hit.
Windows Vista (and by extension Windows Server 2008, I assume) utilizes a new EVTX log format for event log exports. It’s XML-based, natch.
Problem: Everyone’s Favourite Log Digestion Tool Log Parser uses system APIs to read event log exports, and the old .EVT event log format isn’t “native” any more. Long story short, it chokes on them.
This, to put it mildly, was annoying, as most customers haven’t moved to Windows Server 2008 yet (I mean, it’s only five months from release – is there ever a better time?) and so supply event logs in the old format when asked.
Anyway – you can convert the old-school event logs into shiny new event logs through the user interface (just double-click the EVT, wait for it to open and display in chronological order; then do a Save As, pick a location and filename and answer an obscure question about language formatting; then find and open the newly-resaved log file), but bluntly, the GUI process leaves a bit to be desired if you have the slightest inkling towards type-A behaviour, and all I really want is something that’ll work in Log Parser, really.
WEVTUTIL (and NeilCar) to the rescue. It’s included out of the box, and it’ll convert those dusty old event logs from the command line, with nary a GUI or common dialog in sight, ready for consumption by Logparser, or any other EVTX-friendly file muncher.
Neil’s example (for the click-inhibited):
wevtutil epl application.evt application.evtx /lf:true