Posts Tagged ‘EventLog’

EventLog Query Options

March 1, 2010 1 comment

This post is actually an answer to Grant’s question.
I quote:

"I discovered eventcombmt today and have been playing round with it. I have an application whereby I want to write out a listing showing any/all accesses by a particular user. I want to run this once a day. I have not been able to figure out what the commandline switch is to specify to only scan the last 24 hours.
Do you know what it is?"


Well Grant, If you want to use EventCombMT, you can use the command line parameters /before & /after but then you’ll need to specify the full date and time in the form of MMDDYYYYHHMMSS. The date-time format needs to be exactly 14 characters, and both parameters must be used together. I think this only works in the ALTools version.

A more elegant way, would be to use Log Parser and query the Security EventLog using:

LogParser "SELECT * INTO C:\myEvents.xml FROM \\Server1\Security,\\Server2\Security WHERE EXTRACT_TOKEN(Strings, 1, ‘|’) = ‘myUser’ AND TimeGenerated >= TO_LOCALTIME(SUB(SYSTEM_TIMESTAMP(), TIMESTAMP(’23:59:59′, ‘hh:mm:ss’)))"

(You can open the C:\myEvents.xml with Excel as an XML table).


But… A simpler way, would be to use PsLogList from the Sysinternals Suite and run the command:

PsLoglist \\Server1,Server2 -s -h 24 security |find "myUser" >c:\myEvents.log


Which one do you prefer?



January 16, 2010 36 comments

Updated to version:!

Lets say you have many exported EventLog (evt/evtx) files, and need to search for specific event entries on all of them. how do you do it?
Yes. Of course you can use Microsoft Log Parser 2.2 but then you have to write the cumbersome query yourself. bummer.

EvtLogParser EvtLogParser to the rescue!

EvtLogParser uses the LogParser.dll from Microsoft Log Parser 2.2, and provides a simple UI for the query.


All you need to do, is drag-and-drop or right-click and select Add EventLog Files...  to add your files to the list, select the query filter using the query filter panel, and click Query.

EvtLogParser: Query Filter Panel

Then, you’ll be able to see the query results in the grid view below.

EvtLogParser: GridView and Context Menu

Right-click to view a specific event, save it as a text file or export all the data to an XML file.

EvtLogParser: View Event

Note that Windows Vista, 7 and Server 2008 uses the new evtx format for event log exports.
Since Log Parser uses system APIs to read event log exports, and the old .evt event log format is not "native" any more on these OS’s you’ll probably get an error message saying "The event log file is corrupted".

So if you want to read evt files on Windows Vista, 7 or Server 2008, you should convert them old-school EventLog files into the shiny new format. You can accomplish this using any of the two methods described below:

1. Through the user interface
just double-click the evt file, wait for it to open, then right-click, select Save Event As, enter the location and filename, click Save and OK.

2. Using the Windows Events Command Line Utility (WevtUTIL)
It’s built in the OS and it’ll convert those old EventLog files from the command line:

wevtutil epl application.evt application.evtx /lf:true

Also, you can copy the text below into Notepad, save it with the .reg extension, and merge it into your registry.
After restarting your system, you’ll be able to right-click an .evt file and select the "Convert to evtx" option from the context menu.

Windows Registry Editor Version 5.00

@="Convert to evt&x"
@="\"wevtutil.exe\" epl \"%1\" \"%1x\" /lf:true"


Please note it requires you to have at least .NET Framework 2.0 installed

Scanning multiple EventLogs with EventCombMT

December 28, 2009 3 comments

Have you ever needed to search for a specific event on many computers?
if you did, and didn’t use EventCombMT… shame on you!

EventCombMT is a multithreaded tool (hence the ‘MT’ at the end) that you can use to search the event logs of several different computers for specific events, all from one central location.

you can set the EventCombMT to search for individual event IDs, multiple event IDs or a range of event IDs, a specific event source with or without specific text in the event’s description, you can also set how many minutes, hours, or days back to scan the event logs.

EventCombMT has many built-in searches such as such as Account Lockouts (Event IDs 529, 644, 675, 676, and 681) and NETLOGON Failed To (De)Register DNS Records (Event IDs 5774, 5775, 5781, 5788)

After the search finishes, the program opens the local \TEMP folder (or the folder you selected as the output folder), which will contain a number of text file logs for the search action:
EventCombMT.txt: The log for the program’s own actions
%machine%-_LOG.txt: Results for the search on that particular machine’s log.

The EventCombMT.exe also has many command line options, such as:

– To load a search that you previously saved use: /load:<name of saved search>

– To add all DCs in your domain to the list of servers to search use: /dc

– To add DCs from another domain use: /dc:<domain name>

– To add servers from a text file use: /file:<path to file>

– To specify events to search for use: /evt:”events” (for example: /evt:"644 528 639")

– To specify the types of events to collect use: /et:weisafasu OR /et:all

  (w – Warning, e – Error, i – Informational, sa – Success Audit, fa – Failure Audit, su – Success)

– To specify event logs types use: /log:sysappsecdsfrsdns OR /log:all

  (sys = System, app = Application, sec = Security, ds = Directory Services, frs = FRS, dns = DNS)

– To specify the output directory use: /outdir:”path to output folder”

– To specify the number of threads use: /t:<number> (The default is 25)

– To specify the Event Source use: /source:”event source” (for example: /source:netlogon)

– To specify the text that needs to be in the event use: /text:"text to match"

NOTE: The search is case insensitive.

– To automatically start searching use the /start argument


The EventCombMT utility is included both in the Windows Server 2003 resource kit tools and in the Account Lockout and Management Tools

The EventCombMT.exe from the Win2K3RK is from April 2003, and the EventCombMT.exe from the ALTools is from May 2002 but seems to have more options under the options menu. Weird…