If someone asked me to name the administrative tasks that I despise, I would to have to include searching event logs. Using the log-search tools included with most Windows products to find a specific event-log entry requires a combination of skill, guesswork, and luck—and the larger the environment, the more difficult the search. Large organizations tend to solve this problem by using expensive log-consolidation servers, databases, and search tools—a solution that rivals many modern business intelligence (BI) systems and their data-mining efforts. Smaller organizations with limited resources tend to depend on the built-in Event Viewer tools and simple log utilities.
Searching event logs doesn't have to be complicated. The Microsoft TechNet Web site offers a simple, effective utility called EventCombMT as well as event-log searching tips. Best of all, the utility and tips are free. They're part of the Microsoft online guide "Security Operations Guide for Windows 2000 Server" (http://www.microsoft.com/technet/security/prodtech/windows/windows2000/staysecure/default.asp). After you go to this Web page, you can download the .zip file (secops.exe) that contains EventCombMT by clicking Download the associated Scripts. (If you want to access secops.exe directly, go to http://www.microsoft.com/downloads/release.asp?releaseid=36834.) Secops.exe contains several utilities; you'll find EventCombMT in the \securityops\eventcomb folder. You can use this handy utility's many options to perform built-in and custom searches.
Using EventCombMT's Options
EventCombMT lets you query event logs from multiple computers (servers and workstations) for a specific event ID, a range of event IDs, or specific text within an event. After you launch the utility by double-clicking eventcombmt.exe, it will query you for your current domain and prepopulate a computer list with known domain controllers (DCs). If you need to use a different set of credentials, such as your Administrator account, you can specify those credentials by selecting the Use Alternate Credentials option on the Options menu.
To use EventCombMT, you first need to select the appropriate computers to search. Although the utility prepopulates the computer list with DCs in your domain, you can search virtually any DC, member server, or workstation for which you have credentials. The Win2K default settings require that you be an administrator or domain administrator to query a local computer's Security log or a DC's Security log, respectively.
To add a machine to the computer list, right-click inside the Select To Search/Right Click To Add box. As Figure 1 shows, this box is just below the Domain text box. Select Add Single Server. In the Add Server dialog box, enter the name of the computer you want to add in the Server Name text box. Although the text box is labeled Server Name, you can enter the name of any DC, member server, or workstation running Windows NT 4.0 or later. (If you don't know the computer's name, you can click Browse and navigate to the computer.) Click Add Server, then click Close. The Select To Search/Right Click To Add box should now include that computer's name. Select that computer by clicking it.
Next, you need to select the log files for which you want to search on the computer you just selected. If you selected a workstation running Windows XP or Win2K Professional, or a computer running NT Workstation 4.0 or NT Server 4.0, you can search only the System, Application, and Security logs. If you selected a DC running Windows .NET Server (Win.NET Server) 2003 or Win2K, you can search three additional logs: FRS, DNS, and AD. Searching the FRS log lets you monitor the health of the File Replication Service (FRS), whereas searching the DNS log lets you monitor DNS replication traffic. If you want to find duplicate SIDs in Active Directory (AD), you can search the AD log.
After you select the log files, you'll likely want to concentrate your search by specifying the types of events for which you want to search. Audit events are typically recorded as either a Success Audit or Failure Audit. For EventCombMT to return audit events, auditing must be enabled on the target computer. Auditing is enabled on a per-computer basis unless Group Policy Objects (GPOs) override the local audit policy. Error, Informational, and Warning events are usually related to system events.
Next, you can narrow your search by filling in the Event IDs, Source, Text, and Scan Back options. Entering the appropriate event ID in the Event IDs text box is the most important way to narrow a search. You can enter one event ID or multiple event IDs. (If you list multiple event IDs, separate them with spaces.) To search a range of event IDs, you can use the > ID < option.
The Source option lets you select a specific process (e.g., Print, SAM, Schedule) to search. By default, EventCombMT searches ALL SOURCES, but you can change that default by selecting a process from the drop-down list. If you want to search for a specific string in a log, you can enter that string in the Text string box. You can also specify how far back you'd like to search through event logs. After you decide how far back you'd like to search, enter that information in the Scan Back text box. Be sure to select the appropriate Minutes, Hours, or Days option.
Prev. page
[1]
2
3
next page 
