Archiving Windows NT Event Logs
You have the option of archiving Windows NT event logs in their native format
(.evt), text format or comma-delimited format. Which is best? There is no simple
answer. It really depends on why you are archiving these logs.
.evt format has the advantage that all possible data
including binary data is preserved. One disadvantage is that the data can only
be viewed one log file at a time and only by the event viewer. If old .evt logs
are viewed at a later date, it is possible that the descriptions displayed will
not match what would have been seen if the .evt log had been viewed at the point
in time where the .evt file was archived. Descriptions are stored in .dll files of the operating system, not in the .evt data.
Depending on when the archives are viewed, the "true-to-at-point-of-archiving"
is questionable. If you backup the server and the event logs and use the
restored server to view the restored event logs, the accuracy of what you are
viewing is guaranteed. Keep lots of tapes. Verify that you can restore the
server archived. This will satisfy the most rigourous legal and forensics
requirements IF the chain of control is maintained. If the tapes are dumped and
stored under lose control, forget it.
Text and comma-delimited formats discard binary data
which may be inappropriate for forensic or legal requirements. Comma-delimited
data can be easily moved to databases such as SQL for centralized processing. It
is possible to manually or programmatically to process such centralized data for
patterns of activity (intrusions) that are difficult or impossible in isolation.
More and more commercial products use this approach. Text format has the
advantage of simplicity. It can also be a starting point for processing using
mature unix-oriented data manipulation utilities. A mixed situation is the use
of tools like dumpel.exe which can dump event log file
data. It dumps the text data and translates the much of the hex data to readable
My final point is that this is not an either-or situation. Save your
checkpoint full backups and use extracted text or comma-delimited copies for
programmatic processing. From a pure security perspective, extracting event logs
to sql databases for security analysis is a best practice.
Check out these commercial products which support centralizing event log data
to sql databases:
Event Log Tips:
Archiving Event Logs
Event Log explained
How to Delete
Corrupt Event Viewer Log Files
Restrict access to Application
and System event logs
Security Events Logon Type
Security Log Location
Suppress Browser Event Log Messages
Suppress Prevent logging of print jobs
System events in NT4 SP4
User Authentication with Windows NT
User Rights, Definition and List
Frank Heyne has made
available a Windows NT Eventlog FAQ .