Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Log & Event Manager (LEM) > Import Archived Windows Event Logs to LEM

Import Archived Windows Event Logs to LEM

Table of contents
No headers
Created by Interspire Import, last modified by MindTouch on Jun 23, 2016

Views: 212 Votes: 0 Revisions: 8

Note:

It is recommended that you perform the following steps on an unused system or a blank VM as these could affect the Security log on the system where they are taken from.

To import archived Windows Event logs:

  1. On a blank system or VM, set the Windows Event Log service to start manually.
    1. Click Start, Open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click Windows Event Log > Properties.
    3. In the Startup type drop down box, select Manual, and then click OK.
  2. Reboot the system to allow your changes to be applied.
  3. Stop the LEM Agent.
    1. Click Start, open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click SolarWinds Log and Event Manager Agent > Stop.
  4. Stop the Windows Event Log service
    1. Click Start, open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click Windows Event Log > Stop.
  5. Copy the .evtx file and paste it to C:\Windows\System32\winevt\Logs.
  6. Rename the .evtx file to Security.evtx.

    Note: Rename first any existing Security.evtx.

    1. In Windows Explorer, go to C:\Windows\System32\winevt\Logs.
    2. Select the archived .evtx file, and rename it to Security.evtx.
  7. Adjust readerState.xml.

    Note: 0 means to start at the beginning of the Event log.

    1. Go to C:\Windows\SysWOW64\ContegoSPOP\tools.
    2. Change readerState.xml to logStartPoint=”0”.
    3. Change description to description=”Windows 7/2008/Vista Security Log”.
  8. Restart the Windows Event Log service.
    1. Click Start, open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click Windows Event Log > Start the Service.
  9. Restart the LEM Agent.
    1. Click Start, open CMD, and then run services.msc.
    2. From the Services pane, scroll to and right-click SolarWinds Log and Event Manager Agent > Start the Service.

The LEM Agent, if it has a connector that can read the Windows Security log should be able to parse through the copied Event logs. These parsed logs have the DetectionTime in LEM matching the time the logs were initially generated.

Last modified
20:01, 22 Jun 2016

Tags

Classifications

Public
Powered by MindTouch ®