|
Introduction
|
EventCL is a
Windows 2000 (and NT) application that clears the windows Event logs and can optionally
backup the eventlog to a user defined file.
This backup
utility has the following features:
Backup & Clear the windows event log
The logs are backed in native format, so they can be opened by the standard NT eventviewer
Very flexible backup file name creation
REMOTE MACHINE Backup & clear option
Full support for custom NT eventlogs.
|
|
Installation
|
There
is no special procedure to follow. Just place the program and its
associated files in the Windows directory or in a dedicated folder
(directory).
EventCL has been developed and tested on W2K and NT 4.0. EventCl requires no
additional runtime DLLs.
|
|
Usage
|
EventCL <EventLogName>
[<Backupfile Name> [<MachineName>]]
Where:
| Parameter |
Description |
| EventLogName |
Name of the NT Eventlog. The standard NT event logs
are (Application, Security, System). However with a little digging
into the registry you can setup your own custom NT Event logs. If
you need to clear any of these you need to specify the name of your
custom log. |
| [Optional] Backupfile Name |
Allows the Eventlog to be saved before being cleared. The name
can be configured to indicate the time & date of the run off
the application. See table below for full configuration
options |
| [Optional] MachineName |
Allows the user to specify which NT machine needs to be backed up
and cleared. See the FAQ for more
detailed information. |
Below is a table that shows all of the available
options that can be specified for the <Backupfile name>:
| @a |
Abbreviated weekday name |
| @A |
Full weekday name |
| @b |
Abbreviated month name |
| @B |
Full month name |
| @d |
Day of month as a decimal (01-31) |
| @H |
Hour in 24-hour format (00-23) |
| @I |
Hour in 12-hour format (01-12) |
| @j |
Day of year as decimal number (001-366) |
| @m |
Month as a decimal number (01-12) |
| @M |
Minute as a decimal number (00-59) |
| @n |
This parameter is substituted with the running Computer name |
| @p |
Local A.M/P.M indicator for 12 hour clock |
| @S |
Second as decimal number (00-59) |
| @U |
Week of year as a decimal number, with Sunday as first day of
week (00-53) |
| @w |
Weekday as a decimal number (0-6; Sunday is 0) |
| @y |
Year without century |
| @Y |
Year with century |
| @@ |
Percent sign '%' |
Note adding a leading '#' removes any leading zeros from the
output.
Some example uses would be:
EventCL Application myappbackup.evt
EventCL Application c:\backup\@y@m@dApplication.evt
EventCL System @A_@#jSystem.evt
EventCL System @n_@A_@#jSystem.evt
EventCL "File Replication Service" c:\backup\@n_frs_@d@m@y.evt server01.domain.com
EventCL "DNS Server" c:\backup\@n_dnss_@d@m@y.evt server01.domain.com
EventCL "Directory service" c:\backup\@n_ds_@d@m@y.evt server01.domain.com
|
|
FAQ |
- Q:Why does my remote Eventlog backup fail?
- A:This can fail because of a number of reasons:
1) You do not have sufficent permissions
2) You are attempting to backup the Eventlog to a
local directory that does not exist on the remote
drive.
The rational behind the second point is as follows:
When invoking a remote machine backup the NT EventLog service generates the
backup file under the system account. This account does not have any network
credentials - and so cannot (basically) create a remote file backup. Also
when you select a file name to back the eventlog to on a remote machine the
selected file is LOCAL to the REMOTE machine. So if you want to backup the
remote system eventlog on {REMOTE_COMPUTER} to 'c:\mylog' the actual event
log is created on the '{REMOTE_COMPUTER}\c:\mylog'.
So to get around this problem EventCl takes the filename you want it backed
up to and creates that on the remote machine. Once it has been
created on the remote machine the file is moved to the local machine.
Thus making the impression that the file was backed up to the local drive.
Therefore the reason why the remote call fails is that your remote
directory does not exist on the remote machine. We could have make the
backup create a temporary file under the 'c:\', but that could break
a number of conventions:
1) Don't potentially litter the drives with event log backups
2) Antivirus software may raise alerts as this is unexpected disk activity
3) Auditing may be turned on for the root of 'c:\'
4) In a failure case the file is potentially available to hackers.
By using a known location the administrator can secure that directory on
both the remote and local machine. In the event of the worst network
failure the eventlog will be copied to the remote machine directory, the
connection is broken so the file is not moved to the local machine and the
log is not cleared. This will then leave the backup file in a secured directory
hopefully away from hackers eyes.
- Q:Can I backup W2K specific Event logs?
- A:Yes you can. However whenever the event log name has spaces in
it (i.e. "File Replication Service") you have to enclose the
names in matching double quotes. It is generally considered good
practice to always include double quotes around the log names
- Q:When a local dump is made on a local machine the
option @n uses the Netbios-name of the W2k-machine
instead of its Full computer name ( = DNS-name). Is there
a work around?
- A:This is easily solved. You just have to place
manually the remaining DNS-path after the @n-option.
Example = @n.domain.com_frs_@d@m@y.evt
- Q:Can I use EventCL within a Windows 2000 forest?
- A:Yes, infact it is even easier to use within a Windows 2000
forest then within an NT4-domain, because you can schedule
the task with a specific account. Note this account must
have proper administrative rights within the forest to
clear the eventlogs, for example an account that is a
member of the enterprise admins.
- Q:EventCL just doesn't believe the specified REMOTE eventlog is a valid name?
- A:Inorder to validate the name of the log file EventCl checked the name locally. Therefore
if you are running EventCL on a machine that doesnt have the specified eventlog name
defined locally, then it will not accept the name. To work around this you must use a
machine that has similarly defined logfiles.
|
|
Source Code Availability |
While EventCL is free, for mission critical environments
(government agencies, banks etc) it is useful to ensure the code you
are installing does not contain any backdoors, viruses etc. We guarantee
that EventCL does not have any flaws, however for those needing more than our
word the source may be purchased at the following link
Purchase Source Code
|
|
Premier Support Availability |
Premier support has now been added to EventCL. This allows customers to register EventCL
on a per machine basis for premier support. This support level guarantees a response within
36 hours, with an expected turnaround less than 4 hours. Further to standard problem diagnosis
with this support level you get priority treatment for product modifications while using a
dedicated premier support email address for maximum expediency. Finally this support
also helps us support our free product set. Naturally we are still available for non-premier
support at support@Mo-Ware.com.
Premier support may be purchased at the following link
Purchase Premier Support
|
|
Future Enhancements |
|
|
Known Bugs/ Restrictions |
- When backing up a remote event log to the local machine the
'local' directory must exist on the 'remote' machine. This
behavior is a result of both the NT operating system and a design
decision of Mobiusware. Therefore we can say 'This is by
design'!
|
|
Comments from satisfied users |
"Even the NT Resource KIT (2000-version also) does not
have a tool that can perform the same as EventCL.exe.
NT Resource KIT has DumpEL.exe. This tool doesn't even come near EvenCL.exe.
Why is EventCL.exe so good?
1. Backup and Clean option in one.
2. The logs are backuped in native format, so they can be opened by the eventviewer.
3. Very flexible in filename-creation
4. Freeware
5. ****** REMOTE OPTION ******** "
"Now I have only ONE batchfile to run at ONE location!
All logfiles at our 21 servers are backed up automatically."
"I would like to compliment you on your EXCELLENT support. I have been sitting here fighting with xxxx over a down server, trying to figure out where the engineer is who is suppose to fix it. He is 4 hours late. Every time I call them, I get another excuse. I have provided customer service for over 25 years, and you have certainly gone the extra yard."
|
|
History
|
Web page update [December 18, 2001]
Updated the FAQ (thanks to Marco K.) for the W2K information. Any other tips welcomed!
Added option to purchase source code to EventCL, and purchase Premier support
Version 1.1 Build(90) [June 18, 2000]
** NEW FEATURE ** Remote logs can now be backed up to the local calling machine
Fixed bug when backing up the security log if some security setting were set[Thanks
go to Marco K. for the feedback and help on this one!].
Version 1.1 Build(32) [April 2, 2000]
Added the computer name parameter @n. This enables the
computer name to be included in the event log backup filename.
So '@n.evt' would map to 'COMPUTERNAME.evt'.
Added additional error detection. Now attempts to detect if the
backup file location can be written to, if not an error is shown.
Version 1.0.0.3 [April 9, 1999]
Fixed a bug if trying to use EventCL in a batch file with a named
backup file that takes date/time parameters. This involved the
changing of the date/time token from '%' to '@', therefore avoiding
any conflicts with CMD or 4NT environment variables.
Version 1.0.0.2 [April 8, 1999]
Added functionality to allow the backup file to take configurable
date/time parameters. Thanks to Joe Hoofnagle for the
suggestion!
Version 1.0.0.1 [December 29, 1998]
Preliminary release
|
|
Goto Download page EventCL (35
KB)
|
| |