Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Importing Windows Event Logs for Forensics

Updated: 21 May 2010 | 3 comments
shaun_b's picture
shaun_b
Accredited
0 0 Votes
Login to vote

I'm trying to take some windows event log files (evt) offsite to correlate with a SSIM appliance. Is this possible? Problem I'm running into is that when you open a windows event log file in event viewer the logs are only there temporarily. If you close event viewer the logs are not there the next time you log in. Thus, the sensor isn't picking up the names of the event viewer named files. Any easier way to do this?

discussion Filed Under:
,

Comments

Ricardo Carraretto's picture
12
Nov
2007
0 Votes 0
Login to vote
Ricardo Carraretto
Symantec Employee
Accredited

Shaun,
 
I'm not aware of any way of reading EVT log files directly, because the Windows Event Collector reads the information connecting directly to the host Event logs.
 
Besides that, unless the machine you are reading the files has the exact same programs as the one from where you saved them, you'll have trouble visualizing the Event Description. Some Event Descriptions are tied to DLLs that are installed by the programs that run on the machine and you'll probably end up with a meaningless .evt file when reading it on another machine.
 
Cheers
 
shaun_b's picture
11
Dec
2007
0 Votes 0
Login to vote
shaun_b
Accredited

Thanks Mate!!!

Rob Pecor's picture
25
Apr
2008
0 Votes 0
Login to vote
Rob Pecor
Symantec Employee

Yes you can do this, I do it when testing quite often.  Also, the event logs are only temporary if you have them set that way.  You can change the purging properties of all the Windows Event Logs.
 
Here is what I do to take evt file to another machine to test:
(Read all steps before doing this to prevent an unexpected shutdown)
 
1.  Backup the .evt files from %windir%\system32\config
2.  Take these files to the 'other' machine. 
     Note:  You cannot just copy then over to the machine, you need to follow the next steps.
 
3.  To place new .evt files, you have to kill the services.exe process.  However this cannot be done using Task Manager.  I use a tool called Process Explorer - http://www.download.com/Process-Explorer/3000-2094_4-10223605.html.  Use this or some other tool to kill the services.exe process
4.  As soon as you kill the services.exe process, Windows will prompt you that it will be shutting down in 60 seconds.  To abort this shutdown, run the following command at a command line
      > shutdown -a
 
5.  Now, copy the .evt files to %windir%\system32\config, overwriting what is there.
6.  Restart your machine
7.  Setup the Windows Event Collector to collect these events and send to SSIM.
 

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,822