I use an app called dumpevt. It grabs the logs on a machine and pulls them to a central location and stores them. I then use Windows Grep to search for error, failure, or warning (or whatever text) in the logs. It then displays all the lines containing that desired text. I can find one or two lines out of several thousand. What's really nice about dumpevt is that it keeps track of each time you run it and starts from the last place you ran it. So this morning, I'll see every event since the last time I ran it, but not the ones from a month ago. After I parse the results, I delete the files it creates, but you can also archive them if you want. I run a script every morning that pulls the logs, then use grep to walk through all the files it collects. Works pretty well for me; I have around 35 servers I hit with it... Needs to run under an account with admin rights to every box you hit, though, in order to touch the security logs. I use runas to fire it... Dumpevt is available from Hyena (http://www.systemtools.com/somarsoft/). Windows Grep is available at wingrep.com. Both are free, although Windows Grep would like you to register and send them something.
Here's a snippet from the script I run. Substitute servername with the name of your server. Repeat these lines for each server. Make sure the outdir location exists (precreate the folders, one for each server name). Use the DNS, DIR, and RPL lines only on DCs. dumpevt /computer=servername /logfile=sec /outdir=c:\dumpevt\servername /reg=local_machine >>c:\dumpevt\errors.txt dumpevt /computer=servername /logfile=app /outdir=c:\dumpevt\servername /reg=local_machine >>c:\dumpevt\errors.txt dumpevt /computer=servername /logfile=sys /outdir=c:\dumpevt\servername /reg=local_machine >>c:\dumpevt\errors.txt dumpevt /computer=servername /logfile=dns /outdir=c:\dumpevt\servername /reg=local_machine >>c:\dumpevt\errors.txt dumpevt /computer=servername /logfile=dir /outdir=c:\dumpevt\servername /reg=local_machine >>c:\dumpevt\errors.txt dumpevt /computer=servername /logfile=rpl /outdir=c:\dumpevt\servername /reg=local_machine >>c:\dumpevt\errors.txt ********************** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Carerros, Charles > Sent: Wednesday, July 27, 2005 6:28 AM > To: [email protected] > Subject: [ActiveDir] Event Log Question > > I am using a script to pull all of my event logs from all of > my servers (both local and remote) and saving them off as > .evt files at my location. I was wondering if anyone has a > script that I can use to go through these files to pull only > the critical errors? > > I have looked at using Event Comb to do this, but it seems > like Event Comb only scans through current event logs not > those that are saved off to another location. The end result > I'm looking for is a way to create some stats on the number > of errors and warnings I receive per server and over all. I > want to bring some attention to these errors so I can get > some additional resources in resolving them as well as > putting just the errors in one place to help speed up the > process of reviewing them. > > I have seen a few scripts that do this type of thing but all > of those are based on the current event logs not archived > copies of the database. > > In the end, I might just end up changing the time that I run > my archive script and run another script prior to that which > might help me to gain my statistics. > > Any suggestions???? > > Thanks, > > Charlie > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
