Submit a ticketCall us
Home > Success Center > Log & Event Manager (LEM) > Import Archived Windows Event Logs to LEM

Import Archived Windows Event Logs to LEM

Table of contents
No headers
Created by Interspire Import, last modified by MindTouch on Jun 23, 2016

Views: 1,669 Votes: 0 Revisions: 8

Note:

It is recommended that you perform the following steps on an unused system or a blank VM as these could affect the Security log on the system where they are taken from.

To import archived Windows Event logs:

  1. On a blank system or VM, set the Windows Event Log service to start manually.
    1. Click Start, Open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click Windows Event Log > Properties.
    3. In the Startup type drop down box, select Manual, and then click OK.
  2. Reboot the system to allow your changes to be applied.
  3. Stop the LEM Agent.
    1. Click Start, open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click SolarWinds Log and Event Manager Agent > Stop.
  4. Stop the Windows Event Log service
    1. Click Start, open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click Windows Event Log > Stop.
  5. Copy the .evtx file and paste it to C:\Windows\System32\winevt\Logs.
  6. Rename the .evtx file to Security.evtx.

    Note: Rename first any existing Security.evtx.

    1. In Windows Explorer, go to C:\Windows\System32\winevt\Logs.
    2. Select the archived .evtx file, and rename it to Security.evtx.
  7. Adjust readerState.xml.

    Note: 0 means to start at the beginning of the Event log.

    1. Go to C:\Windows\SysWOW64\ContegoSPOP\tools.
    2. Change readerState.xml to logStartPoint=”0”.
    3. Change description to description=”Windows 7/2008/Vista Security Log”.
  8. Restart the Windows Event Log service.
    1. Click Start, open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click Windows Event Log > Start the Service.
  9. Restart the LEM Agent.
    1. Click Start, open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click SolarWinds Log and Event Manager Agent > Start the Service.

The LEM Agent, if it has a connector that can read the Windows Security log should be able to parse through the copied Event logs. These parsed logs have the DetectionTime in LEM matching the time the logs were initially generated.

Last modified

Tags

Classifications

Public
Powered by MindTouch ®