ProblemYou want to search for events across multiple computers. SolutionUsing a graphical user interface
Using a command-line interfaceNone of the standard command-line tools support searching the event logs across multiple computers. You can however use a for command to run a query against several computers at once. Here is an example: > for /D %i in ("wks01","wks02") do eventquery.vbs /S %i /R 10 /L Application /FI "ID eq 105" Using VBScript' This code searches for events that match the specified criteria ' across several computers. ' ------ SCRIPT CONFIGURATION ------ intEventCode = <EventID> ' Event ID to match; e.g. 105 strLog = "<EventLogName>" ' Event log name; e.g. Application intMaxNum = <MaxNumberOfEvents> ' Max events to return (0 for all) arrComputers = Array("wks01","wks02") ' ------ END CONFIGURATION --------- for each strComputer in arrComputers WScript.Echo vbCrLf & vbCrLf WScript.Echo "Searching " & strComputer & "...." & vbCrLf set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") set colEvents = objWMI.ExecQuery("Select * from Win32_NTLogEvent " & _ " Where Logfile = '" & strLog & "'" & _ " and EventCode = " & intEventCode) count = 0 for each objEvent in colEvents Wscript.Echo "Date: " & objEvent.TimeWritten Wscript.Echo "Source: " & objEvent.SourceName Wscript.Echo "Category: " & objEvent.Category Wscript.Echo "Type: " & objEvent.Type Wscript.Echo "Event Code: " & objEvent.EventCode Wscript.Echo "User: " & objEvent.User Wscript.Echo "Computer: " & objEvent.ComputerName Wscript.Echo "Message: " & objEvent.Message WScript.Echo "------" WScript.Echo count = count + 1 if intMaxNum > 0 and count >= intMaxNum then WScript.Echo "Reached maximum threshold...exiting" exit for end if next next DiscussionThe Event Comb utility is an extremely useful and powerful tool to have in your arsenal. Microsoft initially developed it for Windows 2000, but gave it out only to customers experiencing specific issues that required the ability to search the event logs on multiple computers. After the release of Windows Server 2003, Microsoft made it generally available as part of the Account Lockout toolset (http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e) and also in the Windows Server 2003 Resource Kit. See AlsoMS KB 824209, "How to Use the EventcombMT Utility to Search Event Logs for Account Lockouts" |