EventLogExpert can be used to view event descriptions for events generated by products that are not installed on the user's workstation. An event database must be created to enable this functionality.
By default, EventLogExpert will simply use the event provider DLLs available on the local machine to resolve event descriptions. If EventLogExpert is being used on a user workstation, and the Application event log from an Exchange Server is opened, many of the events will not have descriptions, because those provider DLLs are not present. In order to view those events, use the following steps:
-
Download eventdbtool.exe from the latest GitHub release.
-
Copy eventdbtool to a machine with the product installed, such as Exchange Server in this example.
-
Create a database for that server and give the file a name that indicates where it came from. For example:
eventdbtool create "C:\EXCH1.db" -
This database contains the provider information for everything on that server, including Windows, Exchange Server, and anything else installed. If you like, you can use the database as-is.
-
eventdbtool also provides the ability to diff databases against each other. This can be useful to separate OS databases from product databases. For example, in our example here, if Exchange 2019 is installed on a Windows 2019 server, we might want to diff the database we just created against a database from a plain Windows 2019 server with nothing else on it. This would produce a database that only has event providers for Exchange. This can be done with a command such as:
.\eventdbtool diff "C:\Windows 2019.db" "C:\EXCH1.db" "C:\Exchange 2019.db" -
Now we have Exchange 2019.db that only has event providers which were not present in the Windows 2019 database, so it is a database just for that product (and any other products that were installed on that machine). This step is optional.
-
Go to Tools -> Settings -> Add Provider and choose the database to import.
As long as at least one database is enabled in Tools -> Options, EventLogExpert will only use those databases for event resolution and will ignore any provider DLLs on the local machine. To switch back to local machine providers, disable all the databases in Tools -> Options.