Recipe 16.10. Searching the Event Logs on Multiple Systems


Problem

You want to search for events across multiple computers.

Solution

Using a graphical user interface

  1. Open the Event Comb utility (eventcombmt.exe). When you first start the tool, it launches a Simple Instructions dialog box that contains the following directions:

  2. Verify the Domain box shows the domain for which you want to search.

  3. Right-click the box labeled Select to Search/Right Click To Add. Add the computers you want to search, e.g., All the DCs or individual computers.

  4. Choose the log files you want to search, e.g., System, Application.

  5. Select the event type you would like to search for, e.g., Error, Warning.

  6. Enter the event IDs you would like to search for, e.g., 6005, in the Event IDs text box.

  7. Click Search to start your search.

Using a command-line interface

None of the standard command-line tools support searching the event logs across multiple computers. You can however use a for command to run a query against several computers at once. Here is an example:

> for /D %i in ("wks01","wks02") do eventquery.vbs /S %i /R 10 /L Application  /FI "ID eq 105"

Using VBScript
' This code searches for events that match the specified criteria  ' across several computers. ' ------ SCRIPT CONFIGURATION ------ intEventCode = <EventID>            ' Event ID to match; e.g. 105 strLog       = "<EventLogName>"     ' Event log name; e.g. Application intMaxNum    = <MaxNumberOfEvents>  ' Max events to return (0 for all) arrComputers  = Array("wks01","wks02") ' ------ END CONFIGURATION --------- for each strComputer in arrComputers    WScript.Echo vbCrLf & vbCrLf    WScript.Echo "Searching " & strComputer & "...." & vbCrLf    set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")    set colEvents = objWMI.ExecQuery("Select * from Win32_NTLogEvent " & _                                " Where Logfile = '" & strLog & "'" & _                                " and EventCode = " & intEventCode)    count = 0    for each objEvent in colEvents       Wscript.Echo "Date: " & objEvent.TimeWritten       Wscript.Echo "Source: " & objEvent.SourceName       Wscript.Echo "Category: " & objEvent.Category       Wscript.Echo "Type: " & objEvent.Type       Wscript.Echo "Event Code: " & objEvent.EventCode       Wscript.Echo "User: " & objEvent.User       Wscript.Echo "Computer: " & objEvent.ComputerName       Wscript.Echo "Message: " & objEvent.Message       WScript.Echo "------"       WScript.Echo       count = count + 1       if intMaxNum > 0 and count >= intMaxNum then          WScript.Echo "Reached maximum threshold...exiting"          exit for       end if    next next

Discussion

The Event Comb utility is an extremely useful and powerful tool to have in your arsenal. Microsoft initially developed it for Windows 2000, but gave it out only to customers experiencing specific issues that required the ability to search the event logs on multiple computers. After the release of Windows Server 2003, Microsoft made it generally available as part of the Account Lockout toolset (http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e) and also in the Windows Server 2003 Resource Kit.

See Also

MS KB 824209, "How to Use the EventcombMT Utility to Search Event Logs for Account Lockouts"



Windows XP Cookbook
Windows XP Cookbook (Cookbooks)
ISBN: 0596007256
EAN: 2147483647
Year: 2006
Pages: 408

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net