Recipe8.10.Searching the Event Logs on Multiple Servers

Recipe 8.10. Searching the Event Logs on Multiple Servers

Problem

You want to search for events across multiple computers.

Solution

Using a graphical user interface

Open the Event Comb utility (eventcombmt.exe). When you first start the tool, it launches a Simple Instructions dialog box that contains the following directions:
Verify the Domain box shows the domain for which you want to search.
Right-click the box labeled Select to Search/Right Click To Add. Add the servers you want to searche.g., All the DCs or individual servers.
Choose the log files you want to search, e.g., System, Application.
Select the event type you would like to search for, e.g., Error, Warning.
Enter the event IDs you would like to search for, e.g., 6005, in the Event IDs text box.
Click Search to start your search.

Using a command-line interface

None of the standard command-line tools support searching the event logs across multiple servers. You can, however, use a for command to run a query against several servers at once. Here are a couple of examples.

For Windows Server 2003:

> for /D %i in ("server01","server02") do eventquery.vbs /S %i /R 10 /L Application / FI "ID eq 105"

For Windows Server 2000:

> for /D %i in ("server01","server02") do elogdmp %i Application | findstr ",105,"

Using VBScript

' This code searches for events that match the specified criteria  ' across several servers. ' ------ SCRIPT CONFIGURATION ------ intEventCode = <EventID>            ' Event ID to match; e.g., 105 strLog       = "<EventLogName>"     ' Event log name; e.g., Application intMaxNum    = <MaxNumberOfEvents>  ' Max events to return (0 for all) arrServers    = Array("server01","server02") ' ------ END CONFIGURATION --------- for each strServer in arrServers    WScript.Echo vbCrLf & vbCrLf    WScript.Echo "Searching " & strServer & "...." & vbCrLf    set objWMI = GetObject("winmgmts:\\" & strServer & "\root\cimv2")    set colEvents = objWMI.ExecQuery("Select * from Win32_NTLogEvent " & _                                " Where Logfile = '" & strLog & "'" & _                                " and EventCode = " & intEventCode)    count = 0    for each objEvent in colEvents       Wscript.Echo "Date: " & objEvent.TimeWritten       Wscript.Echo "Source: " & objEvent.SourceName       Wscript.Echo "Category: " & objEvent.Category       Wscript.Echo "Type: " & objEvent.Type       Wscript.Echo "Event Code: " & objEvent.EventCode       Wscript.Echo "User: " & objEvent.User       Wscript.Echo "Computer: " & objEvent.ComputerName       Wscript.Echo "Message: " & objEvent.Message       WScript.Echo "------"       WScript.Echo       count = count + 1       if intMaxNum > 0 and count >= intMaxNum then          WScript.Echo "Reached maximum threshold...exiting"          exit for       end if    next next

Discussion

The Event Comb utility is an extremely useful and powerful tool to have in your arsenal. Microsoft initially developed it for Windows 2000, but gave it out only to customers experiencing specific issues that required the ability to search the event logs on multiple servers. After the release of Windows Server 2003, Microsoft made it generally available as part of the Account Lockout toolset (http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en) and also in the Windows Server 2003 Resource Kit Tools. Spend some time with it and get familiar with its capabilities.