LogParser is a wicked cool utility. I think it got tossed into a Resource Kit as an afterthought, and then people realized what it could do and started dancing in the streets.
I second the nod for logparser.com - Mike Gunderloy has put up quite the useful repository. There's also a section of the Technet Script Center now devoted to it: http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.ms px. - Laura > -----Original Message----- > From: Carerros, Charles [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 27, 2005 10:00 AM > To: '[email protected]' > Subject: RE: [ActiveDir] Event Log Question > > That looks like it is exactly what I need. > > Thanks. > > Charlie > > -----Original Message----- > From: John Singler [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 27, 2005 8:55 AM > To: [email protected] > Subject: Re: [ActiveDir] Event Log Question > > > Lots of options here but one that i have been fond of is logparser. > > The latest version is 2.2.10 and get be DL'd from: > > http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd > 06b-abf8-4c25- > 91b2-f8d975cf8c07&displaylang=en > > The support forum at www.logparser.com is great - the author > chimes in > daily. > > an example script that searches for the creation of user accounts: > > logparser.exe "SELECT TimeWritten,ComputerName, > EXTRACT_TOKEN(Strings,0, > '|') AS NewAcctName, EXTRACT_TOKEN(Strings,3, '|') AS CallerName FROM > d:\logs\eventlog.evt WHERE EventID IN (624) ORDER BY > TimeWritten DESC" > -o:NAT -rtp:-1 -filemode:0 > > should get you something like: > > TimeWritten ComputerName NewAcctName CallerName > ------------------- ------------ ----------- ---------- > 2005-01-28 08:41:16 DC1 userjoe admin > 2005-01-28 08:15:50 DC1 userdean admin > 2005-01-26 14:05:23 DC1 useral admin > 2005-01-25 16:52:29 DC1 usertony admin > > Statistics: > ----------- > Elements processed: 1257597 > Elements output: 4 > Execution time: 64.31 seconds (00:01:4.31) > > > finally, logparser handles many types of inputs (IISW3C, IIS, BIN, > IISODBC, HTTPERR, URLSCAN, CSV, TSV, XML, W3C, NCSA, > TEXTLINE, TEXTWORD, > EVT, FS (files and directories), REG, ADS (info on Active Directory > objects), NETMON, ETW, COM) and outputs (NAT, CSV, TSV, XML, > W3C, TPL, > IIS, SQl, SYSLOG, DATAGRID, CHART) which allows you get creative with > data mining. > > hth, > > john > > > Carerros, Charles wrote: > > > > I am using a script to pull all of my event logs from all > of my servers > > (both local and remote) and saving them off as .evt files at my > > location. I was wondering if anyone has a script that I > can use to go > > through these files to pull only the critical errors? > > > > I have looked at using Event Comb to do this, but it seems > like Event > > Comb only scans through current event logs not those that > are saved off > > to another location. The end result I'm looking for is a > way to create > > some stats on the number of errors and warnings I receive > per server and > > over all. I want to bring some attention to these errors > so I can get > > some additional resources in resolving them as well as > putting just the > > errors in one place to help speed up the process of reviewing them. > > > > I have seen a few scripts that do this type of thing but > all of those > > are based on the current event logs not archived copies of > the database. > > > > In the end, I might just end up changing the time that I > run my archive > > script and run another script prior to that which might > help me to gain > > my statistics. > > > > Any suggestions???? > > > > Thanks, > > > > Charlie > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
