Windows Tip Sheet
One Needle, Many Haystacks
Minimize the laborious task of searching for specific events with Event Comb.
Configuring auditing on your Windows servers is a great idea: You’ll
catch events for successful logons, account lockouts, file access
and more. What’s a
bad idea is trying
to
use the captured events! Browsing through
servers’ event logs is perhaps the most tedious task in the
administrative universe, even with the minor help provided by the
Event Viewer’s filtering capability.
Haystack Accelerator
The Windows Server 2003 Resource Kit includes a tool called Event
Comb, which has actually been around for a while (it’ll run
on Win2000, too). It basically lets you search for specified events
across multiple computers. The tool is multi-threaded, so it’s
a quick performer, and it includes handy preconfigured searches
for events like account lockout (which is actually indicated by
about six different events). Search results can be saved as text
files, or an Access database, or even logged to a SQL Server database.
You can restrict searches to only include events which have occurred
since your last search, so that you’re
just looking at the new events. Searches themselves can be saved
and loaded so you can build a nice little library of useful searches.
Searches can be—and this is cool—scheduled,
so that they can run automatically and present you with their results.
It’s an amazing tool.
Now, the downside: The tool is an entirely client-based one, which
means it’ll consume some network bandwidth as it remotely
accesses events on your servers. It’s also not foolproof as
a security tool, since it can’t stop someone from clearing
event logs and erasing the events you’re looking for. For
a more foolproof solution, at least for the Security log, look to
the Microsoft Audit Collection (MAC) service, which is an agent-based
tool for consolidating and working with security events. Unfortunately,
MAC hasn’t been released as I’m writing this, but I
hear it’ll be any time now.
| Micro
Tips |
| Event Comb can help troubleshoot
File Replication Service (FRS) issues by providing
specific information based on FRS-related events
that you collect. Event Comb can also decode the
annoying flags in Event 1000 messages, helping you
to figure out what the event is actually about.
Other companies have figured out event log consolidation
and filtering: RippleTech,
Prism
Microsystems, Inc., TNT
Software, and Lyonesse
Software, just to name a few. I’ve even
written a few event log-related scripts myself,
which you can download for free from ScriptingAnswers.com,
including a tool to archive Security logs. |
|
|
More Resources:
- Read about the tool on Microsoft’s Web site here.
- Get the Resource Kit tools here.
- Have a happy holiday season!
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.