Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Log & Event Manager (LEM) > Import Archived Windows Event Logs to LEM

Import Archived Windows Event Logs to LEM

Table of contents
No headers
Created by Interspire Import, last modified by MindTouch on Jun 23, 2016

Views: 111 Votes: 0 Revisions: 8

Note:

It is recommended that you perform the following steps on an unused system or a blank VM as these could affect the Security log on the system where they are taken from.

To import archived Windows Event logs:

  1. On a blank system or VM, set the Windows Event Log service to start manually.
    1. Click Start, Open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click Windows Event Log > Properties.
    3. In the Startup type drop down box, select Manual, and then click OK.
  2. Reboot the system to allow your changes to be applied.
  3. Stop the LEM Agent.
    1. Click Start, open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click SolarWinds Log and Event Manager Agent > Stop.
  4. Stop the Windows Event Log service
    1. Click Start, open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click Windows Event Log > Stop.
  5. Copy the .evtx file and paste it to C:\Windows\System32\winevt\Logs.
  6. Rename the .evtx file to Security.evtx.

    Note: Rename first any existing Security.evtx.

    1. In Windows Explorer, go to C:\Windows\System32\winevt\Logs.
    2. Select the archived .evtx file, and rename it to Security.evtx.
  7. Adjust readerState.xml.

    Note: 0 means to start at the beginning of the Event log.

    1. Go to C:\Windows\SysWOW64\ContegoSPOP\tools.
    2. Change readerState.xml to logStartPoint=”0”.
    3. Change description to description=”Windows 7/2008/Vista Security Log”.
  8. Restart the Windows Event Log service.
    1. Click Start, open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click Windows Event Log > Start the Service.
  9. Restart the LEM Agent.
    1. Click Start, open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click SolarWinds Log and Event Manager Agent > Start the Service.

The LEM Agent, if it has a connector that can read the Windows Security log should be able to parse through the copied Event logs. These parsed logs have the DetectionTime in LEM matching the time the logs were initially generated.

Last modified
20:01, 22 Jun 2016

Tags

Classifications

Public