Windows event logs can be a wealth of useful information about what's going wrong -- or right -- with one or more
servers. Unfortunately, plowing through them by hand using the Event Viewer tool is rarely productive. If you've ever wanted to do quick and dirty searches on Windows event logs, but hate the idea of spending money on a boxed product or trying to run a mysteriously worded script to do it, there's help.
EventCombMT is a little-known Microsoft tool to run searches for event IDs or text strings against Windows event logs for systems, applications and security, as well as File Replication Service (FRS), domain name system (DNS) and Active Directory (AD) logs where applicable. The "MT" in the name means multi-threaded. The program is part of the Account Lockout and Management Tools program package for Windows 2000, 2003 and XP. For some reason it is not available as a standalone download, but the package itself is free.
Running and scanning with EventCombMT
When you run the program, it first attempts to determine what domain the host computer is currently attached to. If you run EventCombMT on a machine that's not part of a domain (i.e., a workgroup machine), you'll get an error on startup. If you only plan to search the local machine's logs, then you can safely ignore this message. The "Domain" box in the program's GUI is automatically populated by whatever domain is detected, but you can override it by typing in another domain name.
To tell the program which computers to scan, right click "Select to Search/Right Click to Add" and choose an option. If you're connected to a domain, you can automatically add the names of all registered domain controllers, all global catalogs (GCs) or all servers regardless of their roles. You can also add individual machines by machine name or IP address. (If you want to search the local machine, choose "Select Single Server" and use the server name 127.0.0.1.) The "Choose Log Files to search:" section lets you select which log files can be scanned for the machines in question; note that the FRS, DNS and AD boxes will only be enabled when you're in a domain that has such machines.
Check off all types of events to scan for in the "Event Types" area. If you select "Get All Events With Above Criteria," it will ignore the search constraints below and simply return anything that matches the selected event types. The "Threads" slider lets you determine how many threads the program will assign to the search processes, since they can be done in parallel. The default threading parameters should be good unless you are searching literally dozens of machines at once. In that case you can increase this slider a bit. (Maxing it out can actually be bad for performance though.)
Call your own searches or use pre-built searches
The "Event IDs" box lets you specify event IDs to search for. If you want to search for multiple event IDs, separate each one with a space; if you want to search for a range of event IDs, type the lowest and highest event ID you want to look for in the second and third text boxes, respectively, on the same line next to the Event IDs box. Choosing an item from the "Source" dropdown limits the search to a specific service. "Source" is only available if you're searching the System log exclusively. If you select any other log type, it will be grayed out. To search for a specific text string in any log entry, type a case-insensitive search parameter in the "Text" box.
When you click "Search," the program populates the "Threads Running" box with a list of all the machines currently being searched. After the search finishes, the program opens the local \TEMP folder, which will contain a number of text file logs for the search action:
EventCombMT.txt: The log for the program's own actions
Many pre-built searches are included under the "Searches" option in the program's main menu. For instance, the "Account Lockouts" option polls all servers for information about locked-out accounts; "Duplicate SIDs" can determine which machines in the domain have SID collision problems (which can happen when machines are imaged incorrectly).
Making the most of EventCombMT's functions
The "Options" menu contains a great many functions documented in the program's help file. The most useful ones are worth talking about here:
Event Log Direction: This allows you to choose which way the logs are to be searched (oldest to newest entries, or vice versa).
Resolve Hostname in 675 Records: This governs how the program tries to resolve hostnames for IP addresses that are logged in Event ID 675 errors in the Security log. If enabled, the program attempts to resolve a hostname for the IP address. Note that this can slow things down and may not return accurate results if, for instance, the DHCP lease for the IP address in question has expired.
Only Get One Matching Event: Returns the first event found for the selected search criteria and then immediately aborts the search. One recommended use of this function is to do a quick search for the last time your server rebooted (Event ID 6009, Informational, System), in conjunction with a backwards search of the logs.
Use Alternate Credentials: Allows you to use another set of credentials for connecting to servers, but this may not work reliably across the broad range of protocols used by the program.
Slow Parameter Parsing: This performs extra checking on the text of a log event to ensure that all instances of variables ("%1", etc.) are replaced with their respective texts.
Write Results to Database: This function writes out the result to an Access database instead of a CSV text file.
Decode Event 1000 Flags: When set, the program attempts to decode extra, contextual information passed with Event 1000 errors.
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
This tip orginally appeared on SearchWindowsSecurity.com.