Frontpage
Forums
Tutorials
Members
Calendar
Subscription
Donate
Links
Contact 
Help
I have been searching the web and cannot seem to find a good answer on this. I sort of understand the cause but need some help on the solution.
I use the following command to export windows system logs. I want/need them to be in evtx format for later use.
wevtutil epl system c:\SystemEvents.evtx
The goal is to send them to other people which will not be viewing them on the same server. This of course cause the full event text to not be part of the exported log and the user will see something like this:
The description for Event ID XXX from source Server Administrator cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
I was reading this page: http://technet.micro...28WS.10%29.aspx
and found this snip of info in it:
Quote
To troubleshoot events that were logged on a remote computer, you must export and archive the log with the display information. The display information for the saved events is stored in the LocaleMetaData folder and should be moved with the log information when the information is viewed on another computer.
I do not understand what location (or process) this statement is referring to. There is no LocaleMetaData folder anywhere on the server so I am assuming that I need to somehow create and export some additional data along with the evtx file for it to then re-merge back on the viewing system.
Am I on the right track here and could someone tell me how to fully export the event log this with will full verbose messages?
Thanks.
Back to top
