How to dump an eventlog, a source or a category

1. Choose the object (eventlog, source, category, file or user sessions, failure sessions, RAS sessions or print jobs) that you want to dump.

   If you want to choose an object of a remote computer, you must

   • Expand the network branch to reach it,
   • Add it with the add server choice of the file menu
   • Add it with the button of the toolbar.

2. Choose the action:
   • With the action menu.
   • With the toolbar:.
   • With the context menu that you obtain with the right button of the mouse when an eventlog is selected.

Shared options

• If the directory exists.
• If the specified file doesn't exist.
• Or if you choose the option Append to existing file or the option Overwrite an existing file.

You can select three formats for the output file by choosing the suffix of the file and set several options with the options sheet windows:

• .TXT suffix: text format. The default separator is the semicolon. You can change it thanks to the options sheet windows.
• .CSV suffix: The separator is the comma and that could be open with MS-Excel. (Caution, Excel formats sometimes strangely the date). You can change it thanks to the options sheet windows.
• .HTML or .HTM suffix: don't forget to copy five gif files (default names are failure.gif, success.gif, info.gif, warning.gif, error.gif) in the directory where you save your dump file.

You can choose the format of the date:

• Either a readable format that can be define with the options sheet windows.
• Or OLE format, which means real format. It is useful when you import your dump in MS-Access for example.

If you erase the eventlog, the dump since the last dump has no interest and could be empty whereas the log is not empty.

Import file into Microsoft Access

If you import the text file into access, you must import the date as a real but configure the data type as a date.

Dump of the eventlog, sources and categories

You can dump one number of event (by giving its number, you can find some examples of interesting events) of the entire eventlog, since the last dump or one or several type of event as Error, Warning, Information, Success Audit or Failure Audit.

If you want all the type of events, you'd better choose All Types than checked all the buttons, the dump will be quicker.

If you choose the long format, you can have each piece of information in a separate field and not in a sentence as the event viewer does. For example, you can easily have the size and the number of printed pages by users.

The data are formatted to be include in Office applications as Microsoft Excel or Microsoft Access, so the line feed are erased to have one line per event (but for some event with a lot of data as Dr Watson event, the event could be on several lines due to the maximum size of a line in a file). If you want to import the file in Office application, don’t forget to choose the OLE format for the date.

Dump file content

You can add a title line in your output file with the usual format. The software can't guess the number and the content of each field in the long format.

To obtain the description of the event, you must choose the message option. When you dump a remote computer, the description is decoded with remote messages files, if it fails then decodes with local files and the indicator local is added to the message. In this case, the message is decoded only if the software or the service is installed.

If you choose the data hex or/and data ASCII, the event can be on several lines due to the maximum size of a line in a file.

In the data ASCII output, only the printable characters are printed.

Usual format

Event number; event type; name server; date and time (OLE format for MS Office applications or readable format); user name; domain;

Long format

Short format plus information about the event.

To identify this information, you can compare it with the eventlog. The information is given in the same order.

Dump of the user sessions, failure sessions, RAS sessions or print jobs.

Dump file content

Short format

This format only contains the fields:

Long format

All the fields of the event.

Customized format

You can choose with this format the fields that interest you and modify the title of each column.

To choose the fields, you must click on the Customize button.

To modify a title, you must select it and then modify the string in the Title control. Don't forget to click on the Modify button to validate the modification.

Dump file content

User sessions

The sessions list is build with the 528 and 540 events for the begin, and the 538 event for the end of the session of the security log, security source logon/logoff category.

Failure sessions

The sessions list is build with the failure audit type event of the security log, security source logon/logoff category.

RAS sessions

The sessions list is build with the 20050 event of the system log, RemoteAccess source.

Under Windows 2000, this event seems not to be generated. I need your eventlog to implement the new events. Please send me your eventlog.

Print jobs

The sessions list is build with the 10 event of the system logon Print source.

Unregistered user

In the unregistered version, a line is added at the end of the file.

Dump sample in txt format for the print source with message

INFORMATION;10;15-02-98 18:36:12;ISABELLE\Administrateur;print;ISABELLE;;Le document 3, Enveloppes étranger possédé par Administrateur a été imprimé sur HP LaserJet 4L via le port LPT1:. Taille en octets : 36124 ; pages imprimées : 2 ;
INFORMATION;10;12-02-98 21:52:26;ISABELLE\Administrateur;print;ISABELLE;;Le document 2, liste par auteurs (verifies) possédé par Administrateur a été imprimé sur HP LaserJet 4L via le port LPT1:. Taille en octets : 404182 ; pages imprimées : 4 ;
INFORMATION;10;10-02-98 21:09:45;ISABELLE\Administrateur;print;ISABELLE;;Le document 3, tit_isa.doc possédé par Administrateur a été imprimé sur HP LaserJet 4L via le port LPT1:. Taille en octets : 157284 ; pages imprimées : 1 ;
INFORMATION;10;10-02-98 19:32:34;ISABELLE\Administrateur;print;ISABELLE;;Le document 2, (Sans titre) - Bloc-notes possédé par Administrateur a été imprimé sur HP LaserJet 4L via le port LPT1:. Taille en octets : 6948 ; pages imprimées : 2 ;
WARNING;7;17-01-98 21:54:16;ISABELLE\Administrateur;print;ISABELLE;;L'imprimante HP LaserJet 4L a été remise en marche. ; WARNING;8;17-01-98 20:53:02;ISABELLE\Administrateur;print;ISABELLE;;L'imprimante HP LaserJet 4L a été vidée. ;
WARNING;6;17-01-98 20:52:37;ISABELLE\Administrateur;print;ISABELLE;;L'imprimante HP LaserJet 4L a été temporairement arrêtée. ;
This file has been generated by an unregistered version of WDumpEvt version 2.2

Dump sample in html format for the print source with messageand long format

10

15-02-98 18:36:12

ISABELLE\ Administrateur

print

ISABELLE

Le document 3, Enveloppes étranger possédé par Administrateur a été imprimé sur HP LaserJet 4L via le port LPT1:. Taille en octets : 36124 ; pages imprimées : 2

3

Enveloppes étranger

Administrateur

HP LaserJet 4L

LPT1:

36124

2

10

12-02-98 21:52:26

ISABELLE\ Administrateur

print

ISABELLE

Le document 2, liste par auteurs (verifies) possédé par Administrateur a été imprimé sur HP LaserJet 4L via le port LPT1:. Taille en octets : 404182 ; pages imprimées : 4

2

liste par auteurs (verifies)

Administrateur

HP LaserJet 4L

LPT1:

404182

4

10

10-02-98 19:32:34

ISABELLE\ Administrateur

print

ISABELLE

Le document 2, (Sans titre) - Bloc-notes possédé par Administrateur a été imprimé sur HP LaserJet 4L via le port LPT1:. Taille en octets : 6948 ; pages imprimées : 2

2

(Sans titre) - Bloc-notes

Administrateur

HP LaserJet 4L

LPT1:

6948

2

7

17-01-98 21:54:16

ISABELLE\ Administrateur

print

ISABELLE

L'imprimante HP LaserJet 4L a été remise en marche.

HP LaserJet 4L

8

17-01-98 20:53:02

ISABELLE\ Administrateur

print

ISABELLE

L'imprimante HP LaserJet 4L a été vidée.

HP LaserJet 4L

6

17-01-98 20:52:37

ISABELLE\ Administrateur

print

ISABELLE

L'imprimante HP LaserJet 4L a été temporairement arrêtée.

HP LaserJet 4L