Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

grokevt-addlog(1) [debian man page]

grokevt-addlog(1)														 grokevt-addlog(1)

NAME

       grokevt-addlog - A tool for adding a raw event log to an existing GrokEVT database.

SYNOPSIS

       grokevt-addlog  database-dir  evt-file new-type base-type .SH DESCRIPTION grokevt-addlog takes a raw event log (.evt file) and adds it to a
       pre-built database generated by grokevt-builddb(1). This new log file will be set up to use the message templates of another log, as deter-
       mined by the user.

       This  tool  is  primarily  useful for processing deleted logs and log fragments found on a system. While it is possible to use the database
       generated from one system with the logs of another, this is not recommended for investigations unless no alternatives exist.

ARGUMENTS

       grokevt-addlog uses the following arguments:

       database-dir
	      The base directory for the database generated previously by grokevt-builddb(1).

       evt-file
	      The file to be added to the database.

       new-type
	      The new log type/name that evt-file will take on.  This is the name that will need to be	used  later  with  grokevt-parselog(1)	to
	      access the new log. This type must not already exist in the database.

       base-type
	      The  existing  log  type that this new log will be based on. The message templates from this type will be used with the new log when
	      parsing. This type must exist in the current database.

BUGS

       Probably several. This particular script has not been extensively tested.

CREDITS

       Written by Timothy D. Morgan.

       Copyright (C) 2006-2007 Timothy D. Morgan

LICENSE

       Please see the file "LICENSE" included with this software distribution.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY	WARRANTY;  without  even  the  implied	warranty  of  MER-
       CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License version 2 for more details.

SEE ALSO

       grokevt(7) grokevt-builddb(1) grokevt-dumpmsgs(1) grokevt-findlogs(1) grokevt-parselog(1) grokevt-ripdll(1)

File Conversion Utilities					   20 March 2008						 grokevt-addlog(1)

Check Out this Related Man Page

grokevt-ripdll(1)														 grokevt-ripdll(1)

NAME

       grokevt-ripdll - A tool for extracting message resources from a PE-formatted file.

SYNOPSIS

       grokevt-ripdll  input-dll  output-db .SH DESCRIPTION grokevt-ripdll parses a PE-formatted file (modern .exe and .dll files are examples PE-
       formatted files) and extracts all message resources. These resources are then stored in a Berkeley-style database file, which maps relative
       virtual addresses (RVAs) to the message resources themselves. These RVAs are what can be found in a windows event log file (.evt extension)
       to reference the proper message resource.  This utility is not intended to be used directly by end-users.  It is used by grokevt-builddb(1)
       to extract resources from all DLL/EXEs referenced in the registry.

ARGUMENTS

       input-dll
	      This  is the PE formatted file to extract resources from. (It doesn't need to have a .dll extension, but it is most commonly used on
	      DLLs.)

       output-db
	      The database file to store the RVA->message mapping in. If this file already exists, it will be overwritten.  To extract the entries
	      stored in this database, see grokevt-dumpmsgs(1).

BUGS

       Probably a few. This script has not been extensively tested with some guest platforms or with non-english systems.

       The  documentation  used  as a reference for PE formatted files was not complete or not completely accurate in places. Much guess-and-check
       took place.

CREDITS

       Original PE header code borrowed from the pymavis project.  For more information, see:

		 http://www.mplayerhq.hu/~arpi/pymavis/

       Message resource parsing added by Timothy D. Morgan.

       Copyright (C) 2005-2007 Timothy D. Morgan

       Copyright (C) 2004 A'rpi

LICENSE

       Please see the file "LICENSE" included with this software distribution.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY	WARRANTY;  without  even  the  implied	warranty  of  MER-
       CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for more details.

SEE ALSO

       grokevt(7) grokevt-addlog(1) grokevt-builddb(1) grokevt-dumpmsgs(1) grokevt-findlogs(1) grokevt-parselog(1)

File Conversion Utilities					   20 March 2008						 grokevt-ripdll(1)
Man Page