Event log/viewer

[Larry Waibel]

I want to just add Event log support to my target system. I added the Event
Log component but wasn't able to view the log locally and couldn't connect
remotely to view it. I tried copying the eventvwr.exe but that needed the
eventvwr.msc but that needed MSC support. I filtered the components and the
only one I found eventvwr.exe in is the Administration Support Tools. But
added that blows my image size up from 62MB to 160MB! Isn't there a
component for just Event Log support? If not, any ideas what minimal things
I need to support MSC so that I can run the viewer? And am I correct that
the reason I can't remotely connect to view the log is because there's no
viewer support on the target or could there be some other reason? If I can
connect remotely without it, I don't really need the local viewer support.

 

[KM]

Larry,

You basically answered your questions yourself.

The "Event Log" component you added is to support the logging but not to view the logs. (just the EventLog service)
You will need the "Administration Support Tools" and all its dependencies to add the Event Viewer properly. If you don't want to add
all bunch of components you will have to analyze the dependencies and resolve only those that are really needed to support the Event
Viewer (may appear to be a laborious work just to get the Event Viewer working).

Personally I prefer copying the Event Log files (*.evt) offline to XP Pro machine and review them there with Event Viewer.
The paths to log files you will find under [HKLM\System\CurrentControlSet\Services\EventLog\Application] key and by default they are
set to %SystemRoot%\system32\config\*.Evt (e.g, AppEvent.Evt, SysEvent.Evt, SecEvent.Evt, etc.). (just following the instructions
from here : http://support.microsoft.com/default.aspx?scid=kb;en-us;315417&sd=tech)

Another alternative would be using a 3rd party Event log viewing software that does not depend on so many things as Microsoft on
does. I'd think that Resource Kit probably has such simple tool but I never searched there for it. You may want to search for
dumpel.exe.
Also, in the Server Kit there are some command line tools to query, create and trigger events in the logs. I don't think this is a
good solution for you as it would required heavy script engines at least but you may still want to take a look at it:
http://www.microsoft.com/technet/pr...elp/68672494-7700-4cbf-8392-4b6ef87b8749.mspx

Connecting to Event Viewer log from another computer is another story. I think this going to work only if you include the entire
Administration Support Tools but I am not positive.

 

[Larry Waibel]

Even with the full Administration Support Tools I can't connect with the Event Viewer; and
locally (on the target) if I double-click on an event in the log I don't see its details.
I am able to map a drive to the system and tried opening the log on the target but it's
"busy" so I can't do that. And if I copy it and then try to open it, it's "corrupted".
The only way is if I use the viewer on the target to 'save' it and then I can view the
saved copy but to do that I have to have the extra 100MB. So it doesn't look like any of
that is useful.

I downloaded 'dumpel' and that can see the target logs while they're still being used and
displays the detail contents. And it works when only the Event Log component is installed
without the Admin Support Tools. So I guess that's the best I can do. Thanks once again
for your help!

From: "KM" <konstmor@nospam_yahoo.com>
Subject: Re: Event log/viewer
Date: Mon, 4 Apr 2005 14:19:30 -0700
Newsgroups: microsoft.public.windowsxp.embedded

Larry,

You basically answered your questions yourself.

The "Event Log" component you added is to support the logging but not to view the logs. (just the EventLog service)
You will need the "Administration Support Tools" and all its dependencies to add the

Event Viewer properly. If you don't want to add

all bunch of components you will have to analyze the dependencies and resolve only those

that are really needed to support the Event

Viewer (may appear to be a laborious work just to get the Event Viewer working).

Personally I prefer copying the Event Log files (*.evt) offline to XP Pro machine and

review them there with Event Viewer.

The paths to log files you will find under

[HKLM\System\CurrentControlSet\Services\EventLog\Application] key and by default they are

set to %SystemRoot%\system32\config\*.Evt (e.g, AppEvent.Evt, SysEvent.Evt, SecEvent.Evt,

etc.). (just following the instructions

from here : http://support.microsoft.com/default.aspx?scid=kb;en-us;315417&sd=tech)

Another alternative would be using a 3rd party Event log viewing software that does not

depend on so many things as Microsoft on

does. I'd think that Resource Kit probably has such simple tool but I never searched

there for it. You may want to search for

dumpel.exe.
Also, in the Server Kit there are some command line tools to query, create and trigger

events in the logs. I don't think this is a

good solution for you as it would required heavy script engines at least but you may

still want to take a look at it:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/68672494-
7700-4cbf-8392-4b6ef87b8749.mspx

Connecting to Event Viewer log from another computer is another story. I think this going

to work only if you include the entire

 

[KM]

Larry,

Although the 'dumpel' worked for you, I'd like to clarify the first approach.

the Evt files are locked by Event Log service.
You have to copy the Evt files *offline*. This mean you will have to shutdown the image (or reboot to another OS if you have dual
boot setup) and copy the files to wherever location you can get access to from an XP Pro machine. Under XP Pro you can open the
files with Event Viewer.

Or, you can stop the Event Log service on the running XPe image and copy the files (you may need to disable the service and reboot,
I am not 100% sure about this) online. Where 'online' mean - under working XPe image.

Connecting to Event Viewer from another machine is more complicated (this mean will require more components in your image, including
heavy COM+ services) so I am not sure if you even need to or will be able to fix this keeping the small footprint of your image.

--
Regards,
KM, BSquare Corp.

Even with the full Administration Support Tools I can't connect with the Event Viewer; and
locally (on the target) if I double-click on an event in the log I don't see its details.
I am able to map a drive to the system and tried opening the log on the target but it's
"busy" so I can't do that. And if I copy it and then try to open it, it's "corrupted".
The only way is if I use the viewer on the target to 'save' it and then I can view the
saved copy but to do that I have to have the extra 100MB. So it doesn't look like any of
that is useful.

I downloaded 'dumpel' and that can see the target logs while they're still being used and
displays the detail contents. And it works when only the Event Log component is installed
without the Admin Support Tools. So I guess that's the best I can do. Thanks once again
for your help!

From: "KM" <konstmor@nospam_yahoo.com>
Subject: Re: Event log/viewer
Date: Mon, 4 Apr 2005 14:19:30 -0700
Newsgroups: microsoft.public.windowsxp.embedded

Larry,

You basically answered your questions yourself.

The "Event Log" component you added is to support the logging but not to view the logs. (just the EventLog service)
You will need the "Administration Support Tools" and all its dependencies to add the

Event Viewer properly. If you don't want to add

all bunch of components you will have to analyze the dependencies and resolve only those

that are really needed to support the Event

Viewer (may appear to be a laborious work just to get the Event Viewer working).

Personally I prefer copying the Event Log files (*.evt) offline to XP Pro machine and

review them there with Event Viewer.

The paths to log files you will find under

[HKLM\System\CurrentControlSet\Services\EventLog\Application] key and by default they are

set to %SystemRoot%\system32\config\*.Evt (e.g, AppEvent.Evt, SysEvent.Evt, SecEvent.Evt,

etc.). (just following the instructions

from here : http://support.microsoft.com/default.aspx?scid=kb;en-us;315417&sd=tech)

Another alternative would be using a 3rd party Event log viewing software that does not

depend on so many things as Microsoft on

does. I'd think that Resource Kit probably has such simple tool but I never searched

there for it. You may want to search for

dumpel.exe.
Also, in the Server Kit there are some command line tools to query, create and trigger

events in the logs. I don't think this is a

good solution for you as it would required heavy script engines at least but you may

still want to take a look at it:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/68672494-
7700-4cbf-8392-4b6ef87b8749.mspx

Connecting to Event Viewer log from another computer is another story. I think this going

to work only if you include the entire

 

[Larry Waibel]

Thanks, I'd figured I'd need to somehow? stop the Event Log service to be able to copy the
files but keep in mind this is a headless/closed system that we can normally only contact
across the LAN. How would I stop and start the Event Log service from a remote system?

From: "KM" <konstmor@nospam_yahoo.com>
Subject: Re: Event log/viewer
Date: Mon, 4 Apr 2005 16:36:41 -0700
Newsgroups: microsoft.public.windowsxp.embedded

Larry,

Although the 'dumpel' worked for you, I'd like to clarify the first approach.

the Evt files are locked by Event Log service.
You have to copy the Evt files *offline*. This mean you will have to shutdown the image

(or reboot to another OS if you have dual

boot setup) and copy the files to wherever location you can get access to from an XP Pro

machine. Under XP Pro you can open the

files with Event Viewer.

Or, you can stop the Event Log service on the running XPe image and copy the files (you

may need to disable the service and reboot,

I am not 100% sure about this) online. Where 'online' mean - under working XPe image.

Connecting to Event Viewer from another machine is more complicated (this mean will

require more components in your image, including

heavy COM+ services) so I am not sure if you even need to or will be able to fix this

keeping the small footprint of your image.

--
Regards,
KM, BSquare Corp.

Even with the full Administration Support Tools I can't connect with the Event Viewer; and
locally (on the target) if I double-click on an event in the log I don't see its details.
I am able to map a drive to the system and tried opening the log on the target but it's
"busy" so I can't do that. And if I copy it and then try to open it, it's "corrupted".
The only way is if I use the viewer on the target to 'save' it and then I can view the
saved copy but to do that I have to have the extra 100MB. So it doesn't look like any of
that is useful.

I downloaded 'dumpel' and that can see the target logs while they're still being used and
displays the detail contents. And it works when only the Event Log component is installed
without the Admin Support Tools. So I guess that's the best I can do. Thanks once again
for your help!

From: "KM" <konstmor@nospam_yahoo.com>
Subject: Re: Event log/viewer
Date: Mon, 4 Apr 2005 14:19:30 -0700
Newsgroups: microsoft.public.windowsxp.embedded

Larry,

You basically answered your questions yourself.

The "Event Log" component you added is to support the logging but not to view the

logs.
(just the EventLog service)

You will need the "Administration Support Tools" and all its dependencies to add the

Event Viewer properly. If you don't want to add

all bunch of components you will have to analyze the dependencies and resolve only

those
that are really needed to support the Event

Viewer (may appear to be a laborious work just to get the Event Viewer working).

Personally I prefer copying the Event Log files (*.evt) offline to XP Pro machine and

review them there with Event Viewer.

The paths to log files you will find under

[HKLM\System\CurrentControlSet\Services\EventLog\Application] key and by default they are

set to %SystemRoot%\system32\config\*.Evt (e.g, AppEvent.Evt, SysEvent.Evt,

SecEvent.Evt,
etc.). (just following the instructions

from here : http://support.microsoft.com/default.aspx?scid=kb;en-us;315417&sd=tech)

Another alternative would be using a 3rd party Event log viewing software that does

not
depend on so many things as Microsoft on

does. I'd think that Resource Kit probably has such simple tool but I never searched

there for it. You may want to search for

dumpel.exe.
Also, in the Server Kit there are some command line tools to query, create and trigger

events in the logs. I don't think this is a

good solution for you as it would required heavy script engines at least but you may

still want to take a look at it: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/68672494-
7700-4cbf-8392-4b6ef87b8749.mspx

Connecting to Event Viewer log from another computer is another story. I think this

going
to work only if you include the entire

Administration Support Tools but I am not positive.

--
Regards,
KM, BSquare Corp.

I want to just add Event log support to my target system. I added the Event
Log component but wasn't able to view the log locally and couldn't connect
remotely to view it. I tried copying the eventvwr.exe but that needed the
eventvwr.msc but that needed MSC support. I filtered the components and the
only one I found eventvwr.exe in is the Administration Support Tools. But
added that blows my image size up from 62MB to 160MB! Isn't there a
component for just Event Log support? If not, any ideas what minimal things
I need to support MSC so that I can run the viewer? And am I correct that
the reason I can't remotely connect to view the log is because there's no
viewer support on the target or could there be some other reason? If I can
connect remotely without it, I don't really need the local viewer support.

 

[KM]

Larry,

Well.. I thought you need to get the Event log files once during development time. From your last message it seems you want a
consistent way of getting the logs out of the headless device that you can use in the field, right?

Well. You can "play" with services remotely again through API or a 3rd party tool. E.g., PSServices from sysinternal.com
(http://www.sysinternals.com/ntw2k/freeware/psservice.shtml). I never investigated the tool dependencies, though (the dependencies
that must be in your image in order to be able to connect to the psservice).

Btw, another remote tool from Sysinternals.com you can use to dump Event logs remotely: PsLogList
(http://www.sysinternals.com/ntw2k/freeware/psloglist.shtml).
(or similar elogdump from Resource Kit).

--
Regards,
KM, BSquare Corp.

Thanks, I'd figured I'd need to somehow? stop the Event Log service to be able to copy the
files but keep in mind this is a headless/closed system that we can normally only contact
across the LAN. How would I stop and start the Event Log service from a remote system?

From: "KM" <konstmor@nospam_yahoo.com>
Subject: Re: Event log/viewer
Date: Mon, 4 Apr 2005 16:36:41 -0700
Newsgroups: microsoft.public.windowsxp.embedded

Larry,

Although the 'dumpel' worked for you, I'd like to clarify the first approach.

the Evt files are locked by Event Log service.
You have to copy the Evt files *offline*. This mean you will have to shutdown the image

(or reboot to another OS if you have dual

boot setup) and copy the files to wherever location you can get access to from an XP Pro

machine. Under XP Pro you can open the

files with Event Viewer.

Or, you can stop the Event Log service on the running XPe image and copy the files (you

may need to disable the service and reboot,

I am not 100% sure about this) online. Where 'online' mean - under working XPe image.

Connecting to Event Viewer from another machine is more complicated (this mean will

require more components in your image, including

heavy COM+ services) so I am not sure if you even need to or will be able to fix this

keeping the small footprint of your image.

--
Regards,
KM, BSquare Corp.

Even with the full Administration Support Tools I can't connect with the Event Viewer; and
locally (on the target) if I double-click on an event in the log I don't see its details.
I am able to map a drive to the system and tried opening the log on the target but it's
"busy" so I can't do that. And if I copy it and then try to open it, it's "corrupted".
The only way is if I use the viewer on the target to 'save' it and then I can view the
saved copy but to do that I have to have the extra 100MB. So it doesn't look like any of
that is useful.

I downloaded 'dumpel' and that can see the target logs while they're still being used and
displays the detail contents. And it works when only the Event Log component is installed
without the Admin Support Tools. So I guess that's the best I can do. Thanks once again
for your help!

From: "KM" <konstmor@nospam_yahoo.com>
Subject: Re: Event log/viewer
Date: Mon, 4 Apr 2005 14:19:30 -0700
Newsgroups: microsoft.public.windowsxp.embedded

Larry,

You basically answered your questions yourself.

The "Event Log" component you added is to support the logging but not to view the logs.
(just the EventLog service)
You will need the "Administration Support Tools" and all its dependencies to add the
Event Viewer properly. If you don't want to add
all bunch of components you will have to analyze the dependencies and resolve only those
that are really needed to support the Event
Viewer (may appear to be a laborious work just to get the Event Viewer working).

Personally I prefer copying the Event Log files (*.evt) offline to XP Pro machine and
review them there with Event Viewer.
The paths to log files you will find under
[HKLM\System\CurrentControlSet\Services\EventLog\Application] key and by default they are
set to %SystemRoot%\system32\config\*.Evt (e.g, AppEvent.Evt, SysEvent.Evt, SecEvent.Evt,
etc.). (just following the instructions
from here : http://support.microsoft.com/default.aspx?scid=kb;en-us;315417&sd=tech)

Another alternative would be using a 3rd party Event log viewing software that does not
depend on so many things as Microsoft on
does. I'd think that Resource Kit probably has such simple tool but I never searched
there for it. You may want to search for
dumpel.exe.
Also, in the Server Kit there are some command line tools to query, create and trigger
events in the logs. I don't think this is a
good solution for you as it would required heavy script engines at least but you may
still want to take a look at it:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/68672494-
7700-4cbf-8392-4b6ef87b8749.mspx

Connecting to Event Viewer log from another computer is another story. I think this going
to work only if you include the entire
Administration Support Tools but I am not positive.

--
Regards,
KM, BSquare Corp.

I want to just add Event log support to my target system. I added the Event
Log component but wasn't able to view the log locally and couldn't connect
remotely to view it. I tried copying the eventvwr.exe but that needed the
eventvwr.msc but that needed MSC support. I filtered the components and the
only one I found eventvwr.exe in is the Administration Support Tools. But
added that blows my image size up from 62MB to 160MB! Isn't there a
component for just Event Log support? If not, any ideas what minimal things
I need to support MSC so that I can run the viewer? And am I correct that
the reason I can't remotely connect to view the log is because there's no
viewer support on the target or could there be some other reason? If I can
connect remotely without it, I don't really need the local viewer support.