Nuo Yan

Problem Solved

Recent Posts

Tags

News


  • Follow me on twitter: @nuoyan
    Make a donation to this Blog by PayPal. Thanks!





    Nuo is currently a Software Development Engineer in a Seattle-based software company.




    Locations of visitors to this page

    The information in this weblog is provided "AS IS" with no warranties, and confers no rights. This weblog does not represent the thoughts, intentions, plans or strategies of my school or employer. It is solely my opinion. Inappropriate comments will be deleted at the authors discretion. All code samples are provided "AS IS" without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


Community

Email Notifications

Archives

EventCombMT.exe - A Good Tool To Collect Event Logs

A good tool called EventCombMT.exe in the Windows Server 2003 Resource Kit or Account Lockout and Management Tools may help network administrators to export specific kinds of event logs to a single text file.

Log files may be overwritten and need to be backed up, and the powerful tools such as MOM 2005 are too expensive for smallbusinesses. EventCombMT.exe acts as a simple free tool to help administrators in small businesses to export their specific event logs to a central location in a text file.

Let's start EventCombMT.exe, its main interface is shown in Figure 1. If we are not in a domain environment, it may pops up a dialog box mentions it cannot find the domain controller.

Figure 1

Right click on “Select To Search / Right Click To Add“ box, then select “Add Single Server“ (Figure 2).  We can also add other kinds of servers. In this case, we use single server for an example.

Figure 2

Enter the server name or click “Browse“ to browse the server list. Then click “Add Server“ (Figure 3).

Figure 3

Then let's choose the types of log files to search. For example, system logs, as shown in Figure 4.

Figure 4

Then we need to choose the event types, like warnings, errors, etc. (Figure 5).

Figure 5

We should also input a range of event IDs it will search in. For example, to search events from ID 1 to 800. Figure 6 shows that.

Figure 6

We could also select a specific event sourse. Then let's click “Search”, it will generate a log file and export the logs meet our requirements to another text file. Figure 7 shows this.

Figure 7

Figure 8 and Figure 9 show the information included in the text files.

  Figure 8

 

 Figure 9

Posted: Fri, Nov 4 2005 12:48 by Nuo Yan | with 7 comment(s)
Filed under:

Comments

Roger Enright said:

Hi, I would like to have the EventCombMT run from task scheduler automatically...is this possible? In specific, to have it start and run a search on a timed schedule and create regular log files that can be searched. I can't find any documentation for switches that can be used to specify having it run a specific search automatically. Do you know of a way? Thanks! Roger
# December 12, 2005 1:26 PM

ROLLY POLLY said:

I think we all have the same problem...how to automate eventcombmt ?

# April 3, 2008 12:07 PM

CoolPolarbear said:

Switches are case sensitive!!! they must be all lowercase.

Load a Saved Search

   To load a search that you previously saved use:

       /load:<previously saved search>

   NOTE: if /load is specified no other parameters are parsed, except for /start.

DCs

   To add all DCs in your domain to the list of servers to search use:

       /dc

   To add DCs from another domain use:

       /dc:<domain name>

       Example: /dc:redmond

Servers (from file)

   To add servers from a text file use:

       /file:<path to file>

       Example: /file:"C:\program files\reskit\server.txt"

Servers (from command line)

   To add server from the command line use:

   /s:<server name>    

Events

   To specify events to search for use:

       /evt:”string of events”

       Example: /evt:"644 528 639"

Event Types

   To specify the types of events to collect use:

       /et:weisafasu

           OR

        /et:all

   The different types are:

       w - Warning

       e - Error

       i - Informational

       sa - Success Audit

       fa - Failure Audit

       su - Success

       Use all to search for all types

Event Logs

To specify event logs types use:

   /log:sysappsecdsfrsdns

           OR

   /log:all

   The log types are:    

       sys = System

       app = Application

       sec = Security

       ds = Directory Services

       frs = FRS

       dns =  DNS

Output Directory:

To specify the output directory use:

  /outdir:”path to where output files should be written”

   example: /outdir:"c:\program files\reskit\"

   NOTE: Do not specify a filename. The path should include the trailing '\'.

Threads

To specify the number of threads use:

  /t:<number>    

NOTE: The default is 25.

Event Source

   To specify the Event Source use:

  /Source:”Source of event message”

   Example: /source:netlogon

   NOTE: When using the GUI the list of sources is pulled from the registry. When populated from the command line there is no validation checking. You could choose a source and a log/event combination that is not possible.

Event Text

   To specify the text that needs to be in the event use:

  /text:"text to match"

   NOTE: Only use quotes for CMD.EXE's argument parsing. Do not include quotes, or logical expressions (AND, NOT, OR) in your search criteria, unless you are actually searching for that phrase. The search is case insensitive.

Date Range

   To specify the date range use:

   /after: to set the starting point for events

   /before: to set the ending point for events.

   NOTE: Both parameters take a date in the form of MMDDYYYYHHMMSS, or Month, Day, Year, Hour, Minute, Second. The time/date format needs to be exactly 14 characters. It cannot be a year before 1980 or after 2035. Both parameters must be used together.

   Example: /after:05012002123000 /before:05052002123000

       This resolves to:

           Find Events After: Wed May 01 12:30:00 2002

           Find Events Before: Sun May 05 12:30:00 2002

All Events

   To override /text, /source, /time, /unit and /evt use:

       /getallevents.

   This is useful when you want to dump an entire event log to a text file.

These commands are only used when searching from the command line.

   /nologfile use this to skip creating a log file. This might be useful if you are parsing all the text files that were created and wanted to skip EventCombMT.txt

   /start Use /start to automatically start searching.

   NOTE: Using /start will cause MessageBoxes to be thrown in the event of errors with parameters. If your parameters are incorrect and you are not using /start, the GUI should catch any problems when you click Search.

   /help  Using /help (/? or ?) shows this page.

# February 11, 2009 9:46 PM

Brice said:

I know the post is not recent, but who knows, maybe someone will see my question:

I want to run the following command:

eventcombMT.exe /load:mysearch /file:srv.txt /after:02252009090000 /before:02252009094000 /nologfile /start

If I don't use the switch /start, the gui comes up with all the good settings and I can click "Start" straight away and run the search. No error comes up.

But if I use the /start switch, I am getting: "No servers or logs to search".

Someone had the same problem or could see a way to workaround?

# February 24, 2009 7:10 PM

En said:

Gents,

I've runned into issues with the /after and /before switch.

It always errors out with "Argument /after was not recognized".

The switches are all in lower case and they are in the 14 character format as stated in the above reply.

Any help would be appreciated!

# April 16, 2009 10:08 PM

holgerb said:

How can I use saved .evt file from a directory?

I need a switch for the command line!

# June 4, 2009 1:30 AM

payday loans online said:

Good Day!!! msmvps.com is one of the best resourceful websites of its kind. I take advantage of reading it every day. I will be back.

# December 10, 2009 8:12 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)