lunar (1) grokevt-parselog.1.gz

Provided by: grokevt_0.5.0-5_all bug

NAME

       grokevt-parselog  -  Parse a windows event log and generate human-readable output based on
       message resources stored in a database.

SYNOPSIS

       grokevt-parselog -?|--help

       grokevt-parselog -l database-dir

       grokevt-parselog -m database-dir log-type

       grokevt-parselog [-v] [-H] [-h] database-dir log-type

DESCRIPTION

       grokevt-parselog reads a windows event log (.evt file) and combines that information  with
       messages  templates  and  other resources stored in a pre-generated database. This is then
       printed to stdout in a comma-separated values (CSV) format.  The database  must  first  be
       created by grokevt-builddb(1).

ARGUMENTS

       database-dir
              This is the directory where the database is stored. Currently, the actual log files
              from the original system are also stored in this directory tree.

       log-type
              This is the windows name for the log. By default windows has the following logs:

                           Application
                           Security
                           System

              But others may have been created by third party software.  Use  the  -l  option  to
              print a list of all available log types. (The log names are case-sensitive.)

OPTIONS

       -?     Prints a basic usage statement.

       --help Same as -?.

       -l     Log list mode. Lists the logs available in the specified database.

       -m     Meta information mode. Lists meta information stored in the header of the specified
              log file. Does not print any actual log records. (Format of output in this mode  is
              still subject to change.)

       -v     Verbose mode. Prints status messages to stderr, which can be helpful for debugging.

       -h     Prints a header row at the top of the CSV output containing labels for each column.
              (This is the default behavior.)

       -H     Disables the printing of a header row. This is useful when grokevt-parselog is used
              in a script.

OUTPUT

       While the output format is compatible with programs (such as spreadsheets) that understand
       the de-facto CSV standard format, the format is additionally constrained in that each  log
       entry  is  written to a single line. Also, special characters and non-printable characters
       are encoded using a URL-like encoding format of "%XX" where XX are the hexadecimal  digits
       of  an  encoded  character.  New  line  characters and other special characters along with
       binary data are encoded this way to allow for easy use of grep(1) and similar command line
       tools.

EXAMPLES

       To list all available logs types stored in '~/example.grokevt':

              grokevt-parselog -l ~/example.grokevt

       To read the 'Application' log from the database stored in '~/example.grokevt' and print it
       to stdout:

              grokevt-parselog ~/example.grokevt Application

       To read the 'System' log from the database stored in '~/example.grokevt' and print  it  to
       stdout without a header, and with verbosity turned on:

              grokevt-parselog -v -H ~/example.grokevt System

BUGS

       Probably a few. This script has not been extensively tested with some guest platforms.

       The  file  event  log  file  format  is  pretty  well understood and implemented, but some
       diabolical wrapped, dirty, or fragmentary logs may not be correctly parsed.

       Unicode support is currently limited. Any suggestions on  how  to  better  handle  unicode
       output would be appreciated.

CREDITS

       Originally  written  by  Jamie  French.   Converted  to  Python and extended by Timothy D.
       Morgan.  Andreas Schuster has contributed greatly to the understanding of  the  event  log
       format.

LICENSE

       Please see the file "LICENSE" included with this software distribution.

       This  program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
       without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR  PURPOSE.
       See the GNU General Public License version 3 for more details.

SEE ALSO

       grokevt(7)  grokevt-addlog(1)  grokevt-builddb(1)  grokevt-dumpmsgs(1) grokevt-findlogs(1)
       grokevt-ripdll(1)