Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

EVENT LOG BACKUPS -- RETRIEVE MISSED EVENTS POSSIBLE?

Posted on 2006-06-15
2
Medium Priority
?
261 Views
Last Modified: 2013-12-04
When an event log is cleared (not deleted), is there anyway by which lost information can be retrieved?
My question is specific to this scenario

In the event of a parallel logging onto a common server location using tools, what would happen to the events that were logged by the PC working in a stand alone mode (disconnected from the network and server)?
Is there a tool/mechanism to keep track of these missed events?

Regards
0
Comment
Question by:AmitBAcharya
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 12

Accepted Solution

by:
gidds99 earned 1200 total points
ID: 16916120
By default, Event Viewer log files use the .evt extension and are located in the following folder:

%SystemRoot%\System32\Config

The only way I can think to possible recover any such information would be to use file recovery / undelete type software such as:

http://www.pcinspector.de/file_recovery/UK/welcome.htm

As the event logs are overwritten with the same filename I do not think you will be successfull.

There is no windows function to recover these logs.

Your question regarding the parallel logging I am unsure of as I am unfamiliar with the software but I would hazzard a guess that the local logs do not exist as they are written to a network location.

Good luck.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 800 total points
ID: 16916700
The above is true, undelete software would be your only recourse in this case. You can use a tool like Snare to log the events to the local machine as well as to remote servers, when the event log is cleared in windows event viewer or other method, Snare logs are not affected. http://www.intersectalliance.com/projects/index.html There are also tools like GFI's SELM for this type of thing also http://www.gfi.com/lanselm/
-rich
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question