
To be populated when there are some FAQs...  Maybe I'll even index it.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 Q: How do I remove Logcheck for Windows?

A: See "Removing Logcheck" in INSTALL-Windows.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 Q: Why do I get duplicate events from Event logs I don't even HAVE on my
machine?

A: The MS API to the Event Logs is poorly written:

"The OpenEventLog function specifies the name of the logfile that the
returned handle will reference. This can be the Application, Security, or
System logfile, or a custom registered logfile. If a custom registered
logfile name cannot be found, the event logging service opens the
Application logfile."

Essentially, the API that reads the event log will return the application
log if the event log being asked for does not exist. Once it returns the
handle, there isn't any way that DumpEvt can tell which log is being read.
For example, if you dump RPL on an NT box, or DNS on W2k Pro it dumps the
APP log instead. This causes duplicate entries in the capture file. The only
work-around right now is to edit wrapper.cmd and REM out the Event Logs that
do not exist on that machine.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3 Q: When I open some files (e.g. logcheck.sh) in Notepad, there are no line
breaks, but I see lots of little black squares or blocks.

A: DOS/Windows uses CR/LF (that's a carriage return/line feed pair) to
indicate line breaks, but UNIX only uses LF.  Notepad can't handle that.
Use WordPad or get a real text editor.
PFE (http://www.lancs.ac.uk/people/cpaap/pfe/) or ConTEXT
(http://www.fixedsys.com/context/) work quite well and are free.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4 Q: When I get the e-mail, there are no line breaks, but I see lots of little
black squares or blocks.

A: See the answer above as to why.  To fix it, use egrep's "-U" flag.  Edit
logcheck.sh (don't use Notepad!) and find the "GREP=${LCROOTU}/bin/egrep"
line.  Change it to (WITH the quotes!):
	GREP="${LCROOTU}/bin/egrep -U"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5 Q: What scheduler do I have?

A: See "Windows Schedulers" in INSTALL-Windows.txt.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
6 Q: I just ran Logcheck for the first time and it took forever and the
message I got was GIGANTIC! What's up with that?

A: Look at the the dates.  You just processed EVERYTHING in your Event Logs.
See "README-Win-First_Run.txt."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
7 Q: What are all those logcheck.hacking, ignore, etc. files?

A: Read the "INSTALL" file (use Wordpad or an edit that understands UNIX line
breaks.  See #3.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Last Updated: Tue Sep  4 20:33:44 2001
-- JP Vossen <jp@jpsdomain.org>

