EVT Format

MS Windows 2000, XP and 2003 use the EVT Log file format, as opposed to the EVTX log file format used by Vista, Windows 2008, and Windows 7 operating systems.

Windows systems typically maintain three Event Log files: Application, System, and Security. They are generally found in the C:\Windows\system32\config directory. Server versions of the OS may maintain additional Event Logs for DNS, Directory Services and others, depending upon the functionality of the server.

Each EVT log file consists of a header record and a file body. The body consists of Event records, the Cursor record and unused space. The body could form a ring buffer, with the cursor record marking the border between the oldest and the newest event record.

The Windows NT, XP, 2000 and 2003 server and workstation versions support the EVT log format. These EVT logs can be viewed using the Windows Event Viewer across local or remote machines. Typical log sources include system, security and application log types. Each event type – when a user authentication fails or system component fails to start – is recognized through its unique Event ID.

The EVTX file format used by Vista, Windows 2008, and Windows 7 stores event log records as a stream of binary XML – Extensible Markup Language. Accessing the log data in EVTX files requires the use of a new API not available in older Windows operating systems.

Organizations that are moving to newer Windows systems or already have a mixed Windows environment may have developed two different systems for event log management: one supporting legacy EVT files on older operating systems, and another supporting EVTX files.

But with WhatsUp Log Management – and its exclusive Log Refiner™ Technology – you can monitor, collect, analyze, report and store Windows event log files across both the EVT and EVTX versions. You can also make comprehensive Windows event log data and reports available for regulatory compliance audits to internal management and auditors regardless of file format.