Lots of options here but one that i have been fond of is logparser.
The latest version is 2.2.10 and get be DL'd from:
http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en
The support forum at www.logparser.com is great - the author chimes in
daily.
an example script that searches for the creation of user accounts:
logparser.exe "SELECT TimeWritten,ComputerName, EXTRACT_TOKEN(Strings,0,
'|') AS NewAcctName, EXTRACT_TOKEN(Strings,3, '|') AS CallerName FROM
d:\logs\eventlog.evt WHERE EventID IN (624) ORDER BY TimeWritten DESC"
-o:NAT -rtp:-1 -filemode:0
should get you something like:
TimeWritten ComputerName NewAcctName CallerName
------------------- ------------ ----------- ----------
2005-01-28 08:41:16 DC1 userjoe admin
2005-01-28 08:15:50 DC1 userdean admin
2005-01-26 14:05:23 DC1 useral admin
2005-01-25 16:52:29 DC1 usertony admin
Statistics:
-----------
Elements processed: 1257597
Elements output: 4
Execution time: 64.31 seconds (00:01:4.31)
finally, logparser handles many types of inputs (IISW3C, IIS, BIN,
IISODBC, HTTPERR, URLSCAN, CSV, TSV, XML, W3C, NCSA, TEXTLINE, TEXTWORD,
EVT, FS (files and directories), REG, ADS (info on Active Directory
objects), NETMON, ETW, COM) and outputs (NAT, CSV, TSV, XML, W3C, TPL,
IIS, SQl, SYSLOG, DATAGRID, CHART) which allows you get creative with
data mining.
hth,
john
Carerros, Charles wrote:
I am using a script to pull all of my event logs from all of my servers
(both local and remote) and saving them off as .evt files at my
location. I was wondering if anyone has a script that I can use to go
through these files to pull only the critical errors?
I have looked at using Event Comb to do this, but it seems like Event
Comb only scans through current event logs not those that are saved off
to another location. The end result I'm looking for is a way to create
some stats on the number of errors and warnings I receive per server and
over all. I want to bring some attention to these errors so I can get
some additional resources in resolving them as well as putting just the
errors in one place to help speed up the process of reviewing them.
I have seen a few scripts that do this type of thing but all of those
are based on the current event logs not archived copies of the database.
In the end, I might just end up changing the time that I run my archive
script and run another script prior to that which might help me to gain
my statistics.
Any suggestions????
Thanks,
Charlie
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
