« Previous Next »

Thread: EVT Log Corrupted or Being Used By Another Process

Last post 07-03-2008 10:38 AM by hullflyer. 4 replies.

Average Rating Rate It (5)

RSS

Page 1 of 1 (5 items)

Sort Posts:

Shortcuts

Search | Active Posts | Unanswered Posts | View all users

  • 06-26-2008, 2:35 PM

    EVT Log Corrupted or Being Used By Another Process

    Reply Contact

    Relatively new to log parser (v 2.2).  Have ASP pages running fine to query IIS web logs.  Now trying to get one to report on Event logs, but can't figure out how to get around access errors.  When I set the path to the actual event log file, I get:

    CLogQueryClass error '80070020' [The process cannot access the file because it is being used by another process.]

    The script that results in that error (vbscript in asp page):

    pathVar = "c:\WINDOWS\system32\config\SysEvent.evt"
    fileQry = "SELECT * FROM "&pathVar
    set logQuery = server.createobject("MSUtil.LogQuery")
    set EVT = Server.CreateObject("MSUtil.LogQuery.EventLogInputFormat")
    set recordSet = logQuery.Execute(fileQry,EVT)

    I made sure the pathVar is right and I set permissions on that folder to allow everyone full control, and it still gives the same error.  So, thinking that it's a file sharing violation, I set up a script to copy that file to a new one in the same folder.  Now that gives a new error:

    CLogQueryClass error '800705dc' [The event log file is corrupted.]

    The script that  results in this new error is:

    pathVar = "c:\WINDOWS\system32\config\SysEvent.evt"
    dim fso
    set fso = server.createobject("Scripting.FileSystemObject")
    dim txtPath
    txtPath = "C:\WINDOWS\system32\config\MyEvent2.evt"
    fso.CopyFile pathVar,txtPath
    fileQry = "SELECT * FROM '"&txtPath&"' '"
     set logQuery = server.createobject("MSUtil.LogQuery")
     set EVT = Server.CreateObject("MSUtil.LogQuery.EventLogInputFormat")
    set recordSet = logQuery.Execute(fileQry,EVT)

    I double checked and I can open that original event log in the WMI Event Viewer just fine, so the original file being copied appears to be good.  The new file MyEvent2.evt is there and the same size as the original.

    Both errors are the same regardless of which event log file I specify.

    There is surprisingly little in the book or on the web about webifying log parser, especially in vbscript.  Any ideas what I'm doing wrong?  Is there a different input format I s/b using for asp?

     
    Tags:

  • 06-30-2008, 8:45 AM In reply to

    Re: EVT Log Corrupted or Being Used By Another Process

    Reply Contact

    Hi,

    When using EVT input format (MSUtil.LogQuery.EventLogInputFormat),  the Event Log name is implied in the query. It is not required to specify the path to the Event Log file. For example, the following query reads input records from the System and Security event logs using the EVT input format: 

    SELECT *
    FROM System, Security

    Hope it helps.

    Zhao Ji Ma
    Sincerely,
    Microsoft Online Community Support

    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

  • 06-30-2008, 10:37 AM In reply to

    Re: EVT Log Corrupted or Being Used By Another Process

    Reply Contact

    Thanks for your help.  But, that was what I tried first and it does not work for me. 

    query: SELECT * FROM SECURITY

    CLogQueryClass error '80070005'

    Error opening event log "Security": Access is denied. [Access is denied.]

    I set permissions to everyone-full control on the whole windows/system32/ folder and still get that error.

     

  • 07-03-2008, 7:44 AM In reply to

    Re: EVT Log Corrupted or Being Used By Another Process

    Reply Contact

    Hi,

    You can pass the "Access is denied" error when authenticated user has permissions to run the query. 

    hullflyer:
    query: SELECT * FROM SECURITY
     

    Please disable anonymous authentication in IIS for your web application and test it with Administrative credential if you are not sure.

     

    Zhao Ji Ma
    Sincerely,
    Microsoft Online Community Support

    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

  • 07-03-2008, 10:38 AM In reply to

    Re: EVT Log Corrupted or Being Used By Another Process

    Reply Contact

    Thank you Mr Zhao.  That was my problem.  I did not realize that the event logs folder required different permission/access methods than the IIS logs for log parser to access them. 

    For others, I was able to access event logs by removing the permissions I had added to the \system32\config\ folder (restored to normal) and then in IIS manager I right-click on the folder with my log parser app in it, click Properties and Directory Security tab, then the Edit button for Authentication and access control.  Uncheck the Enable anonymous access at top.  I left the box checked for Integrated Windows authentication under Authenticated access.  Now, I use an administrator credential to access the log parser via the web app in challenge-response (username, password) mode.

    Log parser (dll) is helping me work smarter and saving a lot of time.  Thank you.
Page 1 of 1 (5 items)
Microsoft Communities