Using the EventSentry Log Import Utility, you can import previously backed up event log files (.evtx) or log files (e.g. IIS, DHCP, etc.) into a EventSentry database so that they are search-able in the web-based reports.
Benefits
The EventSentry Log Import Utility is useful for administrators who backup all their event logs automatically with EventSentry on a regular basis but with limited database storage. Using the utility, the backed up .evtx files can be imported into the database anytime. You can also use the utility to import EVTX files have been backed before you started using EventSentry.
You can also use the utility to import delimited and non-delimited log files into the EventSentry database. Since the utility supports command-line parameters and can run silently, it is particularly useful for importing log files on a scheduled basis.
Start the utility on a computer where you installed EventSentry with the setup application, including the management console component. You can then either start the utility through the start menu (Start -> Programs -> EventSentry -> EventSentry Database Import Utility) or by selecting "Tools -> Utilities -> Database Import Utility".
If you are importing an event log back file then you can also right-click the "Event Log Viewer (Local)" container in the management console and select "Import Log File to Database".
Importing Event Log Backup Files
Select the event log backup (.evtx) file and select the type of event log the file contains. If the file name contains either the strings "app", "sec", "sys", "dns", "rep" or "dir", then EventSentry will automatically detect the event log and pre-select the event log. Making sure that the event log selection is correct is important, so that the database import utility knows how to translate event log IDs into real messages.
Limitations
If the total number of EventSentry licenses you purchased is less than 10, then the computer from where you are importing the event log backup file, needs to be present in an EventSentry group. If the computer is not present, then you will need to add the computer to a group using the management console and restart the utility.
Importing Delimited and Non-Delimited Log Files
Select a delimited or non-delimited log file to import. If you are importing a delimited log file then a log file definition will need to exist in order to correctly import the file. If no definition exists then you will need to close the utility and create a log file definition first.
The database import utility will automatically update the "Number of lines" and "File Size" values in the "Import Progress" section after a file was selected with the "Browse" button. The utility will also detect automatically if a file contains a Unix line separator and import those files correctly as well.
Destination
Select the database notification action that you wish to write the data to. If your EventSentry installation contains only one database notification action, then it will automatically be selected and the pull-down menu will be grayed out.
Import Progress
Once you have verified that your selection is correct you can click the "Start Import" button to start the import. This area also shows you the size of the event log backup file you are about to import, and the number of event log records contained in the event log backup file.
The progress bar will show you how much data has been imported so far and you can abort the import anytime.
Command-Line Options
The EventSentry Database Import Utility supports the following command-line options:
Command-Line Option |
Explanation |
Example |
/file: |
The event log backup (.evtx) or log file to import |
/file:server01_app_072006.evtx |
/action: |
The name of the EventSentry action to write the data to |
/action:mssql |
|
|
|
/eventlog: |
The name of the event log contained in the event log backup file |
/eventlog:Security |
|
|
|
/filedefinition: |
Name of an EventSentry log file definition |
/filedefinition:IIS |
/nondelimited |
Indicate that the file to import is a non-delimited log file |
|
/unix |
Force utility to use a Unix line terminator |
|
|
|
|
/debug |
Enable debug logging to %SYSTEMROOT%\system32\eventsentry |
/debug |
|
|
|
/? |
shows supported command-line options |
/? |
For example, to automatically record the security event log from file DBSRV01_SEC-062006.evtx to the Primary Database action, execute the following command:
eventsentry_db_import.exe /file:"c:\logs\DBSRV01_SEC-062006.evtx" /eventlog:Security /action:"Primary Database"
If you need to import multiple log files into the mssql action, then you can create a batch file, for example:
eventsentry_db_import.exe /file:DBSRV01_SEC-062006.evtx /eventlog:Security /action:mssql
eventsentry_db_import.exe /file:DBSRV01_SEC-072006.evtx /eventlog:Security /action:mssql
eventsentry_db_import.exe /file:DBSRV01_SEC-082006.evtx /eventlog:Security /action:mssql
To import an IIS log file, which is a delimited log file, into the database, execute the following command:
eventsentry_db_import.exe /file:ex070828.log /filedefinition:"IIS 6" /action:mssql