If you want to choose an object of a remote computer, you must
You can select three formats for the output file by choosing the suffix of the file and set several options with the options sheet windows:
You can choose the format of the date:
If you erase the eventlog, the dump since the last dump has no interest and could be empty whereas the log is not empty.
If you import the text file into access, you must import the date as a real
but configure the data type as a date.
You can dump one number of event (by giving its number, you can find some examples of interesting events) of the entire eventlog, since the last dump or one or several type of event as Error, Warning, Information, Success Audit or Failure Audit.
If you want all the type of events, you'd better choose All Types than checked all the buttons, the dump will be quicker.
If you choose the long format, you can have each piece of information in a separate field and not in a sentence as the event viewer does. For example, you can easily have the size and the number of printed pages by users.
The data are formatted to be include in Office applications as Microsoft Excel or Microsoft Access, so the line feed are erased to have one line per event (but for some event with a lot of data as Dr Watson event, the event could be on several lines due to the maximum size of a line in a file). If you want to import the file in Office application, don’t forget to choose the OLE format for the date.
You can add a title line in your output file with the usual format. The software can't guess the number and the content of each field in the long format.
To obtain the description of the event, you must choose the message option. When you dump a remote computer, the description is decoded with remote messages files, if it fails then decodes with local files and the indicator local is added to the message. In this case, the message is decoded only if the software or the service is installed.
If you choose the data hex or/and data ASCII, the event can be on several lines due to the maximum size of a line in a file.
In the data ASCII output, only the printable characters are printed.
Event number; event type; name server; date and time (OLE format for MS Office applications or readable format); user name; domain;
Short format plus information about the event.
To identify this information, you can compare it with the eventlog. The information is given in the same order.
This format only contains the fields:
User sessions | Failure sessions | RAS sessions | Print jobs | |
---|---|---|---|---|
User | X | X | X | X |
Server | X | X | X | |
Domain | X | X | X | |
Date of the event | X | X | ||
Session start date | X | X | ||
Session end date | X | X | ||
Duration | X | X | ||
Workstation | X | X | X | X |
Document | X |
All the fields of the event.
You can choose with this format the fields that interest you and modify the title of each column.
To choose the fields, you must click on the Customize button.
To modify a title, you must select it and then modify the string in the Title control. Don't forget to click on the Modify button to validate the modification.
The sessions list is build with the 528 and 540 events for the begin, and the 538 event for the end of the session of the security log, security source logon/logoff category.
The sessions list is build with the failure audit type event of the security log, security source logon/logoff category.
The sessions list is build with the 20050 event of the system log, RemoteAccess source.
Under Windows 2000, this event seems not to be generated. I need your eventlog to implement the new events. Please send me your eventlog.
The sessions list is build with the 10 event of the system logon Print source.
In the unregistered version, a line is added at the end of the file.
INFORMATION;10;15-02-98
18:36:12;ISABELLE\Administrateur;print;ISABELLE;;Le document 3, Enveloppes
étranger possédé par Administrateur a été
imprimé sur HP LaserJet 4L via le port LPT1:. Taille en octets :
36124 ; pages imprimées : 2 ;
INFORMATION;10;12-02-98 21:52:26;ISABELLE\Administrateur;print;ISABELLE;;Le
document 2, liste par auteurs (verifies) possédé par
Administrateur a été imprimé sur HP LaserJet 4L via le
port LPT1:. Taille en octets : 404182 ; pages imprimées : 4 ;
INFORMATION;10;10-02-98 21:09:45;ISABELLE\Administrateur;print;ISABELLE;;Le
document 3, tit_isa.doc possédé par Administrateur a
été imprimé sur HP LaserJet 4L via le port LPT1:. Taille
en octets : 157284 ; pages imprimées : 1 ;
INFORMATION;10;10-02-98 19:32:34;ISABELLE\Administrateur;print;ISABELLE;;Le
document 2, (Sans titre) - Bloc-notes possédé par Administrateur
a été imprimé sur HP LaserJet 4L via le port LPT1:. Taille
en octets : 6948 ; pages imprimées : 2 ;
WARNING;7;17-01-98
21:54:16;ISABELLE\Administrateur;print;ISABELLE;;L'imprimante HP LaserJet 4L a
été remise en marche. ; WARNING;8;17-01-98
20:53:02;ISABELLE\Administrateur;print;ISABELLE;;L'imprimante HP LaserJet 4L a
été vidée. ;
WARNING;6;17-01-98
20:52:37;ISABELLE\Administrateur;print;ISABELLE;;L'imprimante HP LaserJet 4L a
été temporairement arrêtée. ;
This file has been generated by an unregistered version of WDumpEvt version
2.2
10 | 15-02-98 18:36:12 | ISABELLE\ Administrateur |
ISABELLE | Le document 3, Enveloppes étranger possédé par Administrateur a été imprimé sur HP LaserJet 4L via le port LPT1:. Taille en octets : 36124 ; pages imprimées : 2 | 3 | Enveloppes étranger | Administrateur | HP LaserJet 4L | LPT1: | 36124 | 2 | |||
10 | 12-02-98 21:52:26 | ISABELLE\ Administrateur |
ISABELLE | Le document 2, liste par auteurs (verifies) possédé par Administrateur a été imprimé sur HP LaserJet 4L via le port LPT1:. Taille en octets : 404182 ; pages imprimées : 4 | 2 | liste par auteurs (verifies) | Administrateur | HP LaserJet 4L | LPT1: | 404182 | 4 | |||
10 | 10-02-98 19:32:34 | ISABELLE\ Administrateur |
ISABELLE | Le document 2, (Sans titre) - Bloc-notes possédé par Administrateur a été imprimé sur HP LaserJet 4L via le port LPT1:. Taille en octets : 6948 ; pages imprimées : 2 | 2 | (Sans titre) - Bloc-notes | Administrateur | HP LaserJet 4L | LPT1: | 6948 | 2 | |||
7 | 17-01-98 21:54:16 | ISABELLE\ Administrateur |
ISABELLE | L'imprimante HP LaserJet 4L a été remise en marche. | HP LaserJet 4L | |||||||||
8 | 17-01-98 20:53:02 | ISABELLE\ Administrateur |
ISABELLE | L'imprimante HP LaserJet 4L a été vidée. | HP LaserJet 4L | |||||||||
6 | 17-01-98 20:52:37 | ISABELLE\ Administrateur |
ISABELLE | L'imprimante HP LaserJet 4L a été temporairement arrêtée. | HP LaserJet 4L |