How to properly "merge/purge" exported windows event logs? -


i'm looking ideas/suggestions on how improve process de-duplicating windows event log entries in exported .evt files.

we collect exported windows logs number of machines on daily basis. these transferred separate facility archiving, analysis, etc. our process renames each log file year , day #, , archived. machine "server1", example, have each day's logs available in files this:

server1_2016_001_application.evt server1_2016_002_application.evt server1_2016_003_application.evt 

...and on. each log type (system, security, others well).

in order avoid getting lots of duplication, i've been using wevtutil produce trimmed-down copies of these files so:

wevtutil epl "application.evt" "server1_2016_003_application.evt" "/q:*[system[timecreated[@systemtime>='2016-01-02t00:00:00.000z' , @systemtime<='2016-01-02t23:59:59.999z']]]" /lf:true /ow:true 

but , other attempts i've made clumsy; "003" export might not have entries day 3, don't have control on when logs exported @ source. can instead process previous day's entries, there times when want/need see events right point logs exported.

so i'm trying figure out way determine last log entry in given file, next day can query events occur after entry. iow, each event log type each machine, want capture time tag, etc. of last entry , persist info disk next day, can read , use info starting point day's processing.


Comments

Popular posts from this blog

ruby - Trying to change last to "x"s to 23 -

jquery - Clone last and append item to closest class -

css - Can I use the :after pseudo-element on an input field? -