locked
Configure log parser Microsoft Assesment and Planning toolkit RRS feed

  • Question

  • Hi,


    I am setting the MAP tool to get the number of requests to servers in my company, I read the guide-guide-tracker usage, indicates that there must find the path of the server log files. I found the following path: \ \ ex-servdc \ c $ \ Windows \ System32 \ winevt \ Logs I have not clear whether this is the path I should set or is another.

    Someone can confirm me please.

    I appreciate your cooperation.

    Tuesday, June 28, 2011 1:29 PM

Answers

  • Although that is the typical location of log files on a Windows machine, what the guide was talking about was a common location where those log files are stored after you export them.  That part is very important, you MUST export them. Trying to work directly with an event log file without exporting it first will fail, as the API that MAP uses to process the log files will detect that the log hasn’t been closed properly and will report it as corrupt.

    It is recommended that you export the log files you want parsed to a common location, such as a network share or even a file on the computer that has MAP installed.  Once you have all the log files you want parsed from all the different machines, you point the MAP log parser to the file location or locations and it will begin to parse the logs.

    One note regarding log files.  Windows Server 2003, XP and older operating systems save their log files with an .evt extension. Windows Server 2008, Vista and newer operating systems save their log files as an .evtx file.  If MAP is installed on a Server 2003/XP or older machine, it will not be able to read the newer log files.  To fix this, install MAP on a Server 2008/Vista or newer machine.

     

    Thanks,

    Michael Switzer

    Tuesday, June 28, 2011 4:52 PM
  • Once configured to audit the proper events, you want the Security logs (and IIS for SharePoint).


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, July 29, 2011 10:45 PM

All replies

  • Although that is the typical location of log files on a Windows machine, what the guide was talking about was a common location where those log files are stored after you export them.  That part is very important, you MUST export them. Trying to work directly with an event log file without exporting it first will fail, as the API that MAP uses to process the log files will detect that the log hasn’t been closed properly and will report it as corrupt.

    It is recommended that you export the log files you want parsed to a common location, such as a network share or even a file on the computer that has MAP installed.  Once you have all the log files you want parsed from all the different machines, you point the MAP log parser to the file location or locations and it will begin to parse the logs.

    One note regarding log files.  Windows Server 2003, XP and older operating systems save their log files with an .evt extension. Windows Server 2008, Vista and newer operating systems save their log files as an .evtx file.  If MAP is installed on a Server 2003/XP or older machine, it will not be able to read the newer log files.  To fix this, install MAP on a Server 2008/Vista or newer machine.

     

    Thanks,

    Michael Switzer

    Tuesday, June 28, 2011 4:52 PM
  • thanks for you reply Michael

    I would like to know which log files (such as Security,System, aplication, etc) MAP needs for Software Usage Tracker feature in order to export those files

    Regards

    Friday, July 29, 2011 9:58 PM
  • Once configured to audit the proper events, you want the Security logs (and IIS for SharePoint).


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, July 29, 2011 10:45 PM