Submit a ticketCall us

Solarwinds & Cisco Live! Barcelona
Join us from the 29th of January to the 2nd of February at Cisco Live 2018 in Barcelona, where we will continue to show how monitoring the network with SolarWinds will keep you ahead of the game. At our booth (WEP 1A), we will demonstrate how SolarWinds network solutions can help. As a bonus, we are also hosting a pre-event webinar - Blame the Network, Hybrid IT Edition with our SolarWinds Head Geek™, Patrick Hubbard on January 24th - GMT (UTC+0): 10:00 a.m. to 11:00 a.m. There's still time to RSVP.

Home > Success Center > Log & Event Manager (LEM) > Import Archived Windows Event Logs to LEM

Import Archived Windows Event Logs to LEM

Table of contents
No headers
Created by Interspire Import, last modified by MindTouch on Jun 23, 2016

Views: 1,587 Votes: 0 Revisions: 8

Note:

It is recommended that you perform the following steps on an unused system or a blank VM as these could affect the Security log on the system where they are taken from.

To import archived Windows Event logs:

  1. On a blank system or VM, set the Windows Event Log service to start manually.
    1. Click Start, Open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click Windows Event Log > Properties.
    3. In the Startup type drop down box, select Manual, and then click OK.
  2. Reboot the system to allow your changes to be applied.
  3. Stop the LEM Agent.
    1. Click Start, open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click SolarWinds Log and Event Manager Agent > Stop.
  4. Stop the Windows Event Log service
    1. Click Start, open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click Windows Event Log > Stop.
  5. Copy the .evtx file and paste it to C:\Windows\System32\winevt\Logs.
  6. Rename the .evtx file to Security.evtx.

    Note: Rename first any existing Security.evtx.

    1. In Windows Explorer, go to C:\Windows\System32\winevt\Logs.
    2. Select the archived .evtx file, and rename it to Security.evtx.
  7. Adjust readerState.xml.

    Note: 0 means to start at the beginning of the Event log.

    1. Go to C:\Windows\SysWOW64\ContegoSPOP\tools.
    2. Change readerState.xml to logStartPoint=”0”.
    3. Change description to description=”Windows 7/2008/Vista Security Log”.
  8. Restart the Windows Event Log service.
    1. Click Start, open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click Windows Event Log > Start the Service.
  9. Restart the LEM Agent.
    1. Click Start, open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click SolarWinds Log and Event Manager Agent > Start the Service.

The LEM Agent, if it has a connector that can read the Windows Security log should be able to parse through the copied Event logs. These parsed logs have the DetectionTime in LEM matching the time the logs were initially generated.

Last modified

Tags

Classifications

Public