Archive for December, 2009

Scanning multiple EventLogs with EventCombMT

December 28, 2009 3 comments

Have you ever needed to search for a specific event on many computers?
if you did, and didn’t use EventCombMT… shame on you!

EventCombMT is a multithreaded tool (hence the ‘MT’ at the end) that you can use to search the event logs of several different computers for specific events, all from one central location.

you can set the EventCombMT to search for individual event IDs, multiple event IDs or a range of event IDs, a specific event source with or without specific text in the event’s description, you can also set how many minutes, hours, or days back to scan the event logs.

EventCombMT has many built-in searches such as such as Account Lockouts (Event IDs 529, 644, 675, 676, and 681) and NETLOGON Failed To (De)Register DNS Records (Event IDs 5774, 5775, 5781, 5788)

After the search finishes, the program opens the local \TEMP folder (or the folder you selected as the output folder), which will contain a number of text file logs for the search action:
EventCombMT.txt: The log for the program’s own actions
%machine%-_LOG.txt: Results for the search on that particular machine’s log.

The EventCombMT.exe also has many command line options, such as:

– To load a search that you previously saved use: /load:<name of saved search>

– To add all DCs in your domain to the list of servers to search use: /dc

– To add DCs from another domain use: /dc:<domain name>

– To add servers from a text file use: /file:<path to file>

– To specify events to search for use: /evt:”events” (for example: /evt:"644 528 639")

– To specify the types of events to collect use: /et:weisafasu OR /et:all

  (w – Warning, e – Error, i – Informational, sa – Success Audit, fa – Failure Audit, su – Success)

– To specify event logs types use: /log:sysappsecdsfrsdns OR /log:all

  (sys = System, app = Application, sec = Security, ds = Directory Services, frs = FRS, dns = DNS)

– To specify the output directory use: /outdir:”path to output folder”

– To specify the number of threads use: /t:<number> (The default is 25)

– To specify the Event Source use: /source:”event source” (for example: /source:netlogon)

– To specify the text that needs to be in the event use: /text:"text to match"

NOTE: The search is case insensitive.

– To automatically start searching use the /start argument


The EventCombMT utility is included both in the Windows Server 2003 resource kit tools and in the Account Lockout and Management Tools

The EventCombMT.exe from the Win2K3RK is from April 2003, and the EventCombMT.exe from the ALTools is from May 2002 but seems to have more options under the options menu. Weird…


Hello world!

December 27, 2009 1 comment

I’m officially here. In the blogosphere. Finally.

How should I start this blog?
I realize it’s just like walking into a room full of people you’ve never met…
What do you do then? Introduce yourself! It seems like the polite thing to do, right?

OK, so my name is Martin and I work at a multinational computer technology and consulting corporation as an IT Specialist.
And what exactly does an IT Specialist do? well, among other things:

  • Plan, design, install, test, configure, operate, troubleshoot and maintain computer networks and operating systems.
  • Collect information, research solutions, and analyze possible resolutions to issues and ways to prevent future problems.
    And the more obvious tasks of:
  • Set up operating systems and subsystems, and ensure they are running smoothly.
  • Test and implement new solutions.
  • Troubleshoot issues as they arise.
  • Learn new hardware and software to be supported.
  • Implement virus protections and security updates.
  • Back up (and restore) important files.

I’ll be using this blog to share my perspective on things but more-over as the title suggests, share scripts, utilities and tips that may help someone else.

Enjoy, and feel free to comment.