Use InTrust Evt2repository tool to gather saved .evt or .evtx files

Title

How to convert (gather) saved .evt or evtx files into repository data?

Description

How to convert previously saved .evt or evtx files from a Windows computer (or something that emulates them, i.e. a NetApp filer)? What switches can be used with the evt2repository.exe command?

Resolution

1. Open a command prompt and browse to C:\Program Files (x86)\Quest Software\InTrust\Server\InTrust.

2. Run the following command:

Evt2repository.exe /file="c:\filename.evt" /domain=domainname /computer=computername /logname=logname

/repository="C:\repositorypath" /versionmajor=5 /versionminor=2 /resolvedescriptions=localfirst /resolvestrings

Where domainname and computername represents the domain and computer name of the machine that created the .evt(x) file.

Logname is the event log type, i. e. Application, Security, System, etc.

Versionmajor and Versionminor represent the OS of the Windows computer (some NetApp devices may emulate 2003 for example when creating these file so that is why it is used in the sample). For other OSes review see the MS link below:

http://msdn.microsoft.com/en-us/library/ms724832(v=vs.85).aspx

3. Select Start | Programs | Quest Software | Intrust | Repository Viewer to verify the data was imported.

Related Articles
How to repair a corrupt InTrust Index
Description In scenarios where the InTrust server service is stopping with errors for "Indexingtool.exe" in System event log, the Index may be corrupt at this point. Resolution 1. Stop all InTrust services on the server running index. 2. Backup ...

Use InTrust Evt2repository tool to gather saved .evt or .evtx files

Use InTrust Evt2repository tool to gather saved .evt or .evtx files

Related Articles

How to repair a corrupt InTrust Index