EvLog is analyzing one computer at a time with the following syntax:

EvLog config_file

or

EvLog config_file server_name

In the last format, server_name overwrites the computer name set in the configuration file. This is useful when there is a need to use a configuration file as a template.

A sample config file, config1.ini is included in the zip file downloaded from our site. The configuration file contains various settings that can be used to customized the analysis.

The configuration file can be created or modified using the EvLogGUI graphical interface that ships with EvLog. EvLogGUI requires the MS .NET Framework. See this page for some screenhosts.

A cmd or bat file may be created containing entries to several servers. A Daily.cmd file is included in the downloaded archive. If for example, there are 3 servers to be analyzed, create a .cmd file with an evlog command for each server:

EvLog config_server1.ini
EvLog config_server2.ini
EvLog config_server3.ini

Each config file may be configured according to the analysis needs of that server.

* * *

Configuration file explained

Here is the content of the configuration file. The meaning (not included in the config file) is shown in bold italics:

# Specify where should EvLog save the logs prior to processing (i.e. c:\logs)
Dumps directory=c:\
EvLog will use evlog to save the event logs in a text-based file. This setting specifies the location that EvLog will use.

# Specify the name that EvLog should use for the saved logs
Dumps prefix=dailylogs
EvLog will use the specified file prefix for the text-based files saved with evlog. You can use this to schedule a "delete" of the files after the reports have been created

# Specify the name and location of the report file
Report file=c:\dailyeventreport.html
This setting specifies the name of the HTML report. If the Time Stamp is selected (see below), the date is added between the file name and its extension. I.e. dailyeventreport-2004-05-24-102305.html

# Specify if the server name should be added to the report name
Add server name to report name = yes
This setting specifies that the name of the analyzed computer should be added to the report name. For example, if set to yes, the report name for a computer named "server1" will become dailyeventreport-server1-2004-05-24-102305.html

# Add time stamp to reports - the report name will be in the format prefix-yyyy-mm-dd-hourminsec.html
Add time stamp = yes
This setting specifies that a timestamp (date and hour) will be added to the report file name.

# Specify the time stamp format. Valid templates - any combination of yyyy,yy,mm (for month), dd, hour, min, sec. Default: yyyy-mm-dd-hourminsec
Timestamp format = yyyy-mm-dd-hourminsec
This setting specifies the format of the timestamp

# Specify the licensee name
Licensee = Altair Technologies
This setting specifies the name of user. It will appear in the report title

# Font to use in the report
Font Face=Verdana
Font Size=2
This setting specifies the font face and size that will be used in the report.

# Colors to use in tagging various event types
# You can use color names like yellow,red,blue, etc... as long as they are recognized by your browser
Report Background Color=#E9E9F3
Tables Background Color=#FFFFFF
Error Color=#FF9C97
Warning Color=#FFE6F9
Information Color=#FFFFFF
Success Audit Color=#FFFFFF
Failure Audit Color=#D3E2F8
This settings specifies the various colors that will be used to mark various event types as well as other colors used in the report.

# Date format. Accepted formats: mm/dd/yy, dd/mm/yy, yy/mm/dd
Date format = mm/dd/yy
This setting specifies the date format that will be used when displaying the event date.

# What server to analyze (you can leave "computer_name" to analyze the local computer)
Server name = computer_name
This setting specifies the name of the computer that has to be analyzed. If no name is specified or the default computer_name is left, EvLog will analyze the local computer.

# The number of hours for the report (i.e. report events for the last 24 hours)
Last hours = 24
This setting specifies the time span of the analyzed events. I.e. events that were recorded in the last 24 hours. The minimum value for this is 1.

# What logs to dump
Logs = system,application,security
This setting specifies what event logs will be analyzed

# What event types to dump
Information Events = yes
Warning Events = yes
Error Events = yes
Success Audit Events = yes
Failure Audit Events = yes
This setting specifies what type of events will be included in the report (set to yes or no).


# Exclude keywords
Exclude =
This setting specifies that the events matching certain keywords will be excluded from the report. The syntax is: keyword1,keyword2,keyword3,etc...

# Include keywords
Include =
This setting specifies that ONLY the events matching certain keywords will be included in the report. The syntax is: keyword1,keyword2,keyword3,etc... Please note that Exclude overwrites the Include criteria (i.e. if an event matches both the Include and the Exclude keywords, it will be excluded).

# Emailing
Send Email = no
SMTP Server = 127.0.0.1
Recipient Email Address = helpdesk@altairtech.ca
Sender Email Address = reports@altairtech.ca
This setting specifies if the reports will be emailed or not. The SMTP server should be set to the IP address or host name of you SMTP server. The Email address represents the recipient of the report.

# Open the report in the browser
Open Report = yes
This setting specifies if the report should be opened in a browser once the analysis is done. Useful when doing an analysis on demand.

# Show category
Show category = no
This setting whether the event category is displayed or note.


# Add time stamp to reports - the report name will be in the format prefix-yyyy-mm-dd-hhmmss.html
Add time stamp = yes
This setting specifies if a time stamp should be added to the report name (see also the comment).

# Display the summary header
Display Header = yes
This setting specifies if a header with some statistical information should be displayed in the report.

# Consolidate similar events (suppress less important details)
Consolidate Events = yes
This setting specifies if EvLog should attempt to consolidate similar events. One example is security events containing the logon id (0x0383D) that is different for every logon, even if it is for the same user. The consolidation will replace (0x0383D) with (0xnnnnn) so events that are identical except the logon id will be consolidated.

# Create hyperlinks for error codes (not all error codes are covered)
Create error links = yes
This setting specifies if EvLog should attempt to identify error codes listed in the event description and link them to the database of error codes at www.eventid.net.

# Create logon type links
Create logon type links = yes
This setting specifies if EvLog should attempt to identify logon types listed in the event description and link them to the about logon types at www.eventid.net

# Use local computer for event message files
use local = no
This setting specifies from what server will evlog attempt to get the description of the events. These descriptions are stored in the so called "event log message files". Many Windows services share the same message files and are the same on all Windows operating systems. Setting this to "yes" should improve the performance as EvLog will not access a remote file but a local one

# Specifies if EvLog should report on free disk space available
Report free disk space = yes
This setting toggle the reporting of the free disk space available for the locations configured with "Locations to monitor"

# Specifies what location will be included in the free space report. Example 1: C:,D:,E: Example 2: C:\,\\server1\sharename1,\\server2\sharename2
Locations to monitor = c:
This setting specifies what drives or share should be monitored for free disk space. Several locations can be entered separated by ",". The location can be a drive, folder or a remote share in UNC format (i.e. \\server1\share1).

# Location with free space less than the amount specified below will be displayed with the same background color as the "Error" events. If the location is not available it will be displayed with the "Warning" color
Alarm threshold (MB) = 500
This setting specifies what is the threshold for the free disk space monitoring. When the free disk space for a location falls below the specified threshold, the location will be displayed on the same background as the Error events. "Warning" color will be used if the location was not available when EvLog performed the check.

# The symbol that will be used to commify various numbers. Example: 2500 will be displayed as 2,500
Thousands separator symbol = ,
This setting specifies what symbol will be used to separate "thousands" when EvLog reports numbers like free disk space in MB. Various symbols may be used in different countries.

# Display services and their status
Display services = yes
If set to "yes" EvLog will append to the report a list of existing services and information about their running state and the user account configured to run each service. EvLog will also add some comments to each service if applicable (i.e. The service is configured to start automatically but its current state is "Stopped").

# Excludes services matching the keywords (i.e DHCP Client,DNSClient)
Exclude services =
The services listed here will not be included in the report.

Copyright 2001-2011 Altair Technologies Ltd., All rights reserved