RangerLad
asked on
Recover archived Event Logs
Dear Experts,
Can anyone tell me how I can access older event logs than are available on the Event viewer. I need to look at the Security event log from the middle of last month but the records only start on 1st April. I am presuming that SBS 2003 has auto aged them but hoping they are also archived somewhere so I can recover them. I have never modified these settings so should be a default SBS setup. Can anyone help ?
Thanks
RangerLad
Can anyone tell me how I can access older event logs than are available on the Event viewer. I need to look at the Security event log from the middle of last month but the records only start on 1st April. I am presuming that SBS 2003 has auto aged them but hoping they are also archived somewhere so I can recover them. I have never modified these settings so should be a default SBS setup. Can anyone help ?
Thanks
RangerLad
ASKER
Sounds like I have missed the boat on this one then. Unless there is another way to track what date/time users logged onto the network ?
RangerLad
RangerLad
Internally? There actually is, in a way. Although it won't be definitive to the person but rather the workstation.
Are you trying to prove whether or not someone logged in at a certain time? Or later? etc?
There are various logs on each workstation which record a number of activities. The one that I'm thinking of which would always timestamp an initial login for the day is C:\Program Files\Microsoft Windows Small Business Server\Clients\SBSClientAp ps.log. This log file is appended by the SBS_LOGIN_SCRIPT which runs whenever someone logs on. There is no growth management of the log, so it just keeps growing and has information back to the day the workstation was deployed. But it doesn't log username.
Jeff
TechSoEasy
Are you trying to prove whether or not someone logged in at a certain time? Or later? etc?
There are various logs on each workstation which record a number of activities. The one that I'm thinking of which would always timestamp an initial login for the day is C:\Program Files\Microsoft Windows Small Business Server\Clients\SBSClientAp
Jeff
TechSoEasy
ASKER
Jeff
Yes, finding out the workstation logons is exactly what I need. I assume you mean that a central log is on the server rather than each workstation ? The only messages in this log on the server are:
10/04/2007 18:33
-- Starting AppLnch.exe --
-- calling DwWaitForShell( 45000 )
- CreateMutex() returned valid and didn't already exist -
CheckPreInstall() - Server-Admin Shortcut already
-- Main() - on the SBS server, did the server-side work, exiting --
Repeated hundereds of times for various dates, they are not consistant with instances of logons to networks
RangerLad
Yes, finding out the workstation logons is exactly what I need. I assume you mean that a central log is on the server rather than each workstation ? The only messages in this log on the server are:
10/04/2007 18:33
-- Starting AppLnch.exe --
-- calling DwWaitForShell( 45000 )
- CreateMutex() returned valid and didn't already exist -
CheckPreInstall() - Server-Admin Shortcut already
-- Main() - on the SBS server, did the server-side work, exiting --
Repeated hundereds of times for various dates, they are not consistant with instances of logons to networks
RangerLad
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You would need a third party event log archiving tool in order to accomplish that... although it sounds like that recommendation is a bit late for your current needs.
Externall access logs, however, are kept because those would be coming in through IIS. You'll find those logs in C:\Windows\System32\logfil
Jeff
TechSoEasy