Please let us know how useful you find this tip by rating it below. Do you have a useful Windows tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize!
One of the biggest challenges systems administrators face is managing the critical systems logs that their servers and workstations generate daily. It can be difficult to strike a balance between collecting all of the information you need to manage your systems well and keeping the signal-to-noise ratio at a bearable level.
The difficulties this creates in monitoring the security and overall well-being of your network are obvious: If a disk drive records an error message or an intruder creates a failed audit entry and a systems administrator doesn't notice it, did it really happen? (The answer is, "Of course it happened, but because we didn't know about it, we didn't do anything to fix it.")
So, what should you do if you can't convince the powers that be to lay out the necessary budget to deploy a tool like Microsoft Operations Manager (MOM) or Systems Management Server (SMS)?
One answer is the old standby utility, EventCombMT, which parses Windows Event Logs from multiple computers into a single unified view and provides some canned queries to help you look for account lockouts, disk errors and the like. You can download EventCombMT as part of a larger set of Account Lockout and Management Tools.
I highly recommend that you check these out if you spend any amount of time managing Windows user accounts. The free program includes a LockoutStatus.exe tool that indicates which domain controller is receiving incorrect password requests for a particular user account, as well as NLParse.exe to extract information from your Netlogon log files.
However, there's another free tool on Microsoft's Web site that you may not know about. It parses log files from not only the Event Viewer, but also from IIS log files, the Windows Registry, file system meta data, Active Directory and any other XML- or CSV-based log files that you work with. Log Parser (currently downloadable in version 2.2), uses a simplified SQL-like query language to extract data from all of these data sources, allowing you to quickly hone in on just the information you need.
For example, you can run a query against the log files of an IIS Web server to look for Web pages that are taking a long time to load. To do this using Log Parser, you'll execute a query similar to this one:
Logparser.exe "SELECT cs-uri-stem FROM ex*.log WHERE time-taken > 20000" –i:IISW3C
You can integrate Log Parser with administrative scripts, too, using the "LogParser.exe" executable; or extend it programmatically using a pre-packaged "logparser.dll" dynamic-link library (DLL).
So, what's the catch? Log Parser came into this world as a resource kit utility, so its documentation was a bit scarce in earlier versions. But a strong Internet community has grown up around Log Parser, and you can now find a good number of references to help you get started, including the following:
Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for various business units and schools within the university. She is the server management expert for SearchWinSystems.com.
