When you are working with a specific system or trying to track down issues, Event Viewer is an excellent tool to use and should be your tool of choice. As you've seen, Event Viewer can also be used to access logs on remote systems. It isn't particularly useful, however, when you must work with many systems as might be the case if you routinely check the event logs on all critical systems in the organization. For checking the event logs on many systems, you need a power tool, and two such power tools are available:
Eventquery A command-line tool for examining the event logs on local and remote systems
EventComb A Windows Server 2003 Resource Kit tool for searching the event logs on multiple systems
By using Eventquery within a batch script, you can quickly and easily automate the process of checking event logs on multiple systems using a variety of filters. You could then write this information to a central log file or a Web page, either of which could be easily viewed in a Web browser, giving you a one-stop location for checking the event logs.
The most common search you'll perform in the event logs using Eventquery is a search in a specific log for warning or error events. You can search for warning events on a local computer by typing the following:
eventquery /l "LogName" /fi "type eq warning"where LogName is the name of the event log you want to search. You can search for error events on a local computer by typing this:
eventquery /l "LogName" /fi "type eq error"For example, if you want to search the Application log on the local system for error events, you'd type:
eventquery /l "Application" /fi "type eq error"
To search for events on remote systems, add the /S parameter followed by the name or IP address of the remote system. Consider the following example:
eventquery /s corpsrv02 /l "Application" /fi "type eq error"
Here, you search the Application log on CORPSERVER02 for error events.
By default, Eventquery returns the 50 most recent events that match the particular filter you've defined. For the previous example that would mean you'd get a list of up to 50 errors, sorted in time order, such as the following:
------------------------------------------------------------------------------ Listing the events in 'application' log of host 'CORPSVR02' ------------------------------------------------------------------------------ Type Event Date Time Source ComputerName ----------- ------ ------------------------ --------------- ----------------- Error 11706 1/28/2004 2:55:03 PM MsiInstaller CORPSVR02 Error 8019 1/25/2004 1:26:07 PM NTBackup CORPSVR02 Error 8001 1/25/2004 1:26:05 PM NTBackup CORPSVR02 Error 1053 1/18/2004 1:16:39 PM Userenv CORPSVR02 Error 1053 1/18/2004 1:11:37 PM Userenv CORPSVR02 Error 1053 1/18/2004 1:06:35 PM Userenv CORPSVR02 Error 1030 1/18/2004 1:01:34 PM Userenv CORPSVR02 Error 1058 1/18/2004 1:01:34 PM Userenv CORPSVR02 Error 1030 1/18/2004 12:56:34 PM Userenv CORPSVR02 Error 1058 1/18/2004 12:56:34 PM Userenv CORPSVR02 Error 1058 1/18/2004 12:51:34 PM Userenv CORPSVR02 Error 1030 1/18/2004 12:46:34 PM Userenv CORPSVR02 Error 1058 1/18/2004 12:46:34 PM Userenv CORPSVR02 Error 1030 1/18/2004 12:41:34 PM Userenv CORPSVR02 Error 1058 1/18/2004 12:41:34 PM Userenv CORPSVR02 Error 1053 1/18/2004 12:34:42 PM Userenv CORPSVR02 Error 1000 1/17/2004 2:26:17 PM Application Error CORPSVR02 Error 1000 1/17/2004 2:26:04 PM Application Error CORPSVR02 Error 1000 1/17/2004 2:25:07 PM Application Error CORPSVR02
To control the maximum number of events returned, you use the /R parameter. Follow /R with the number of events to return. For example, to return the 100 most recent events that match the filter, you'd type /r 100. To learn more about Eventquery and its possible uses, type eventquery /? at the command line.
Note
Other useful command-line tools for working with the event logs include Eventcreate and Eventtriggers. Eventcreate can be used to create custom events in the event logs. Eventtriggers can be used to monitor event logs for specific events, and then it acts on those events by running tasks or commands.
EventComb, shown in Figure 15-13, is a Windows Server 2003 Resource Kit tool used for searching the event logs on multiple systems. If you've installed the Resource Kit as discussed in Chapter 1, you can start EventComb by typing eventcombmt at the command line.
Figure 15-13. EventComb let's you search multiple systems in a domain for events by event ID, source, and search text
By using EventComb, you can search multiple systems in a specified domain for events that match a set of search criteria you specify. Before you can start a search, you must first specify the domain to work with and the computers to search in that domain. By default, the current domain is entered in the Domain field. If you want to work with computers in another domain, type the fully qualified domain name in the Domain field, such as Tech.cpandl.com. Next, right-click the text area labeled Select To Search/Right-Click To Add. This displays a shortcut menu that allows you to select computers to search. The options include the following:
Get DCs In Domain Polls the network to obtain a list of all domain controllers in the domain
Add Single Server Allows you to add servers by name or IP address
Add All GCs In This Domain Polls the network to obtain a list of all global catalog servers in the domain
Get All Servers Polls the network to obtain a list of all servers in the domain
Get Servers From File Gets a list of servers to use from a text file
Any computers you choose are added to the search list, as shown in Figure 15-14. Adding computers to the list doesn't select them for searches, however. Use Shift+Click or Ctrl+Click to select the computers in the list that you want to search. Then specify the log files to search and the type of events to look for. Logs you can search include System, Application, Security, FRS (the File Replication Service log), DNS (the DNS Server log), and AD (the Active Directory Service log). Event types you can search for include Error, Warning, Informational, Success Audit, and Failure Audit.
Figure 15-14. To specify computers to search, right-click the text area labeled Select To Search/Right-Click To Add
Tip
Set the output directory
By default, EventComb uses C:Temp as the output directory for files it creates. To change the output directory, select Options, Set Output Directory, and then choose a new output directory by using the Browse For Folder dialog box.
After you specify the logs to search and the type of events to look for, you specify which events should be returned in the result set. To get all events with the specified event types, select Get All Events With Above Criteria, and then click Search. To add filters so that only matching events are returned, you can use the following options:
Event IDs Includes only events with the event ID you specify. You can also enter a range. For example, if you wanted to include event IDs 0 to 1000, you'd enter 1000 in the first Event ID box and 0 in the >= ID box. If you wanted to include event IDs 5000 to 9999, you'd enter 5000 in the first Event ID box and 9999 in the <= ID box.
Source Includes only events from a specified source, such as an application, service, or component that logged the event.
Text Includes only events that contain the specified filter text.
Tip
Specify how far to search back
If desired, you can limit the search so that only recent events are examined. To do this, use the Scan Back panel to specify how for back in minutes, hours, or days to search.
Finally, when you are ready to comb the logs, click Search, and EventComb will go to work examining the logs on the designated systems. Results are written to an output directory, which by default is C:Temp. EventComb creates a status log (EventCombMT.txt) in the output directory. This log records EventComb's actions as it searches the logs on the specified systems. If any errors occur during log retrieval, this is where you'll find them.
In the output directory, you'll also find comma-delimited text files for each log on each server that had events matching your search criteria. So, if you search many logs on many systems, you could end up with dozens or hundreds of separate files. Each log contains only events that match your filter criteria and is named using the format ComputerName-LogType_ LOG.txt, such as CORPSVR02-System_LOG.txt for the system log from CORPSVR02. Figure 15-15 shows an example log.
