With the number of people who have asked for this script, I'll post it on a web server late tonight and send out its link tomorrow.
Charlie -----Original Message----- From: Carerros, Charles [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 27, 2005 9:00 AM To: '[email protected]' Subject: RE: [ActiveDir] Event Log Question That looks like it is exactly what I need. Thanks. Charlie -----Original Message----- From: John Singler [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 27, 2005 8:55 AM To: [email protected] Subject: Re: [ActiveDir] Event Log Question Lots of options here but one that i have been fond of is logparser. The latest version is 2.2.10 and get be DL'd from: http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25- 91b2-f8d975cf8c07&displaylang=en The support forum at www.logparser.com is great - the author chimes in daily. an example script that searches for the creation of user accounts: logparser.exe "SELECT TimeWritten,ComputerName, EXTRACT_TOKEN(Strings,0, '|') AS NewAcctName, EXTRACT_TOKEN(Strings,3, '|') AS CallerName FROM d:\logs\eventlog.evt WHERE EventID IN (624) ORDER BY TimeWritten DESC" -o:NAT -rtp:-1 -filemode:0 should get you something like: TimeWritten ComputerName NewAcctName CallerName ------------------- ------------ ----------- ---------- 2005-01-28 08:41:16 DC1 userjoe admin 2005-01-28 08:15:50 DC1 userdean admin 2005-01-26 14:05:23 DC1 useral admin 2005-01-25 16:52:29 DC1 usertony admin Statistics: ----------- Elements processed: 1257597 Elements output: 4 Execution time: 64.31 seconds (00:01:4.31) finally, logparser handles many types of inputs (IISW3C, IIS, BIN, IISODBC, HTTPERR, URLSCAN, CSV, TSV, XML, W3C, NCSA, TEXTLINE, TEXTWORD, EVT, FS (files and directories), REG, ADS (info on Active Directory objects), NETMON, ETW, COM) and outputs (NAT, CSV, TSV, XML, W3C, TPL, IIS, SQl, SYSLOG, DATAGRID, CHART) which allows you get creative with data mining. hth, john Carerros, Charles wrote: > > I am using a script to pull all of my event logs from all of my servers > (both local and remote) and saving them off as .evt files at my > location. I was wondering if anyone has a script that I can use to go > through these files to pull only the critical errors? > > I have looked at using Event Comb to do this, but it seems like Event > Comb only scans through current event logs not those that are saved off > to another location. The end result I'm looking for is a way to create > some stats on the number of errors and warnings I receive per server and > over all. I want to bring some attention to these errors so I can get > some additional resources in resolving them as well as putting just the > errors in one place to help speed up the process of reviewing them. > > I have seen a few scripts that do this type of thing but all of those > are based on the current event logs not archived copies of the database. > > In the end, I might just end up changing the time that I run my archive > script and run another script prior to that which might help me to gain > my statistics. > > Any suggestions???? > > Thanks, > > Charlie List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
