I am a frequent user of LogParser and when I recently started using Windows Server 2008 beta as my desktop OS I ran into a problem with it. One of the things I use LogParser for is extracting the information I need from my customers’ event logs which are often quite large and usually from Windows Server 2003. So I got a surprise when I first tried to do this on Longhorn:
Logparser -i:EVT “select * from application.evt”
Cannot open <from-entity>: Error opening event log “\?D:customerApplication.evt“: The event log file is corrupted.
Elements processed: 0
Elements output: 0
Execution time: 0.11 seconds
Fortunately when I posted this problem to an internal group Neil Carpenter came back with a solution that had worked for him on Vista which he has also blogged about. This also worked on Longhorn (makes sense – similar code base / /API).
I was curious to understand the underlying reason though. A bit of debugging case some light on it. Turned out that when LogParser was calling OpenBackupEventLog it was failing with an error saying the event log was corrupt. The documentation for OpenBackupEventLog states that it will open a handle to a backup event log created by BackupEventLog. As the event log format has changed significantly in Vista and Longhorn compared to previous OSes (warranting a new file extension of ‘EVTX’) it is no surprise the OpenBackupEventLog has a problem with backup event logs from older versions of Windows
So, if you are working with LogParser on a Vista or Longhorn system to parse event logs from a previous version of Windows, you first need to convert the event log to EVTX format:
wevtutil export-log application.evt application.evtx /lf
LogParser will then work happily with the EVTX file as input. Just specify -i:EVT on the LogParser command line as before.