NAME¶
grokevt-addlog - A tool for adding a raw event log to an existing GrokEVT
database.
SYNOPSIS¶
grokevt-addlog database-dir evt-file
new-type base-type .SH DESCRIPTION
grokevt-addlog takes a raw event log (.evt file) and adds it to a pre-built
database generated by
grokevt-builddb(1). This new log file will be set up to
use the message templates of another log, as determined by the user.
This tool is primarily useful for processing deleted logs and log fragments
found on a system. While it is possible to use the database generated from one
system with the logs of another, this is not recommended for investigations
unless no alternatives exist.
ARGUMENTS¶
grokevt-addlog uses the following arguments:
- database-dir
- The base directory for the database generated previously by
grokevt-builddb(1).
- evt-file
- The file to be added to the database.
- new-type
- The new log type/name that evt-file will take on. This is the name
that will need to be used later with grokevt-parselog(1) to access the new
log. This type must not already exist in the database.
- base-type
- The existing log type that this new log will be based on. The message
templates from this type will be used with the new log when parsing. This
type must exist in the current database.
BUGS¶
Probably several. This particular script has not been extensively tested.
CREDITS¶
Written by Timothy D. Morgan.
Copyright (C) 2006-2007 Timothy D. Morgan
LICENSE¶
Please see the file "LICENSE" included with this software
distribution.
This program is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License version 2 for more
details.
SEE ALSO¶
grokevt(7) grokevt-builddb(1) grokevt-dumpmsgs(1) grokevt-findlogs(1)
grokevt-parselog(1) grokevt-ripdll(1)