时间:2016-04-03 09:19 来源: 我爱IT技术网 作者:佚名
如果有一个,一个朋友对你说他的电脑出现了问题,可能,你需要去分析它的系统的事件日志。毕竟,在Windows系统里面,系统事件日志里面记录了太多的信息,应用程序的使用、崩溃等记录,Windows系统的各种事件记录等等。然而,当你的朋友把他的Windows目录下的日志发过来,你想进行查看分析的时候,却发现,提示事件日志崩溃!
这是怎么回事呢?
2我们可以用微软提供的Log Parser 2.2(点击进入微软官方页面),它能在相应的系统上解析各自支持的格式,解析命令为:
logparser -i:EVT "SELECT * INTO a.csv FROM b.evt"
3但如果在Vista、Windows Server 2008、Windows7及之后系统上解析.evt格式日志可能会提示事件日志崩溃,这时需要将.evt格式转换为.evtx格式,幸运的是Vista及之后的系统提供了Wevtutil-Windows Events Command Line Utility这个工具!
4运行命令:wevtutil epl application.evt application.evtx /lf:true 就能转化。
Windows Events Command Line Utility.
Enables you to retrieve information about event logs and publishers, install
and uninstall event manifests, run queries, and export, archive, and clear logs.
Usage:
You can use either the short (for example, ep /uni) or long (for example,
enum-publishers /unicode) version of the command and option names. Commands,
options and option values are not case-sensitive.
Variables are noted in all upper-case.
wevtutil COMMAND [ARGUMENT [ARGUMENT] ...] [/OPTION:VALUE [/OPTION:VALUE] ...]
Commands:
el | enum-logs List log names.
gl | get-log Get log configuration information.
sl | set-log Modify configuration of a log.
ep | enum-publishers List event publishers.
gp | get-publisher Get publisher configuration information.
im | install-manifest Install event publishers and logs from manifest.
um | uninstall-manifest Uninstall event publishers and logs from manifest.
qe | query-events Query events from a log or log file.
gli | get-log-info Get log status information.
epl | export-log Export a log.
al | archive-log Archive an exported log.
cl | clear-log Clear a log.
Common options:
/{r | remote}:VALUE
If specified, run the command on a remote computer. VALUE is the remote computer
name. Options /im and /um do not support remote operations.
/{u | username}:VALUE
Specify a different user to log on to the remote computer. VALUE is a user name
in the form domain\user or user. Only applicable when option /r is specified.
/{p | password}:VALUE
Password for the specified user. If not specified, or if VALUE is "*", the user
will be prompted to enter a password. Only applicable when the /u option is
specified.
/{a | authentication}:[Default|Negotiate|Kerberos|NTLM]
Authentication type for connecting to remote computer. The default is Negotiate.
/{uni | unicode}:[true|false]
Display output in Unicode. If true, then output is in Unicode.
To learn more about a specific command, type the following:
wevtutil COMMAND /? 经验内容仅供参考,如果您需解决具体问题(尤其法律、医学等领域),建议您详细咨询相关领域专业人士。
这是怎么回事呢?
详细的具体步骤或操作方法
1原因很简单,Vista之前事件日志是.evt文件,Vista及之后是.evtx文件!2我们可以用微软提供的Log Parser 2.2(点击进入微软官方页面),它能在相应的系统上解析各自支持的格式,解析命令为:
logparser -i:EVT "SELECT * INTO a.csv FROM b.evt"
3但如果在Vista、Windows Server 2008、Windows7及之后系统上解析.evt格式日志可能会提示事件日志崩溃,这时需要将.evt格式转换为.evtx格式,幸运的是Vista及之后的系统提供了Wevtutil-Windows Events Command Line Utility这个工具!
4运行命令:wevtutil epl application.evt application.evtx /lf:true 就能转化。
Windows Events Command Line Utility.
Enables you to retrieve information about event logs and publishers, install
and uninstall event manifests, run queries, and export, archive, and clear logs.
Usage:
You can use either the short (for example, ep /uni) or long (for example,
enum-publishers /unicode) version of the command and option names. Commands,
options and option values are not case-sensitive.
Variables are noted in all upper-case.
wevtutil COMMAND [ARGUMENT [ARGUMENT] ...] [/OPTION:VALUE [/OPTION:VALUE] ...]
Commands:
el | enum-logs List log names.
gl | get-log Get log configuration information.
sl | set-log Modify configuration of a log.
ep | enum-publishers List event publishers.
gp | get-publisher Get publisher configuration information.
im | install-manifest Install event publishers and logs from manifest.
um | uninstall-manifest Uninstall event publishers and logs from manifest.
qe | query-events Query events from a log or log file.
gli | get-log-info Get log status information.
epl | export-log Export a log.
al | archive-log Archive an exported log.
cl | clear-log Clear a log.
Common options:
/{r | remote}:VALUE
If specified, run the command on a remote computer. VALUE is the remote computer
name. Options /im and /um do not support remote operations.
/{u | username}:VALUE
Specify a different user to log on to the remote computer. VALUE is a user name
in the form domain\user or user. Only applicable when option /r is specified.
/{p | password}:VALUE
Password for the specified user. If not specified, or if VALUE is "*", the user
will be prompted to enter a password. Only applicable when the /u option is
specified.
/{a | authentication}:[Default|Negotiate|Kerberos|NTLM]
Authentication type for connecting to remote computer. The default is Negotiate.
/{uni | unicode}:[true|false]
Display output in Unicode. If true, then output is in Unicode.
To learn more about a specific command, type the following:
wevtutil COMMAND /? 经验内容仅供参考,如果您需解决具体问题(尤其法律、医学等领域),建议您详细咨询相关领域专业人士。
- 浅析微软Windows7的命名哲学:Vista+1=7-Win7-win
- Windows7系统如何快速安装IIS-Win7-windows7使用
- Windows7下IIS如何添加ISAPI筛选器-Win7-windows7
- 恢复windows7右键菜单的个性化-Win7-windows7使用
- 如何在VMware里安装Windows7:[1]虚拟机设置-Win7
- windows7系统下iis的.net框架版本设置-Win7-windo
- 再谈Windows7、Vista下的离开模式-Win7-windows7
- 深入揭秘Windows7、Vista下的WinSXS超大文件夹-Wi
- windows7安装配置IIS7.5过程图解-Win7-windows7使
- windows7中怎样搭建IIS服务器-Win7-windows7使用
- 评论列表(网友评论仅供网友表达个人看法,并不表明本站同意其观点或证实其描述)
-