(When you type Dumpel commands at a command prompt, don't include line breaks.) Dumpel writes all events to the output file machine1seclog.txt in the directory that the %temp% environment variable specifies.
Isolating key events. The output from the above commands is a text-file version of all the records in the Security log. Examining that output is neither cleaner nor faster than scrolling through the Security log with Event Viewer. To filter the log for specific events (e.g., domain or local account logon failures, changes to local security policy), you need to fine-tune Dumpel's output. Two command-line options assist in this task: the -m source argument and the -e EventID1, EventID2, ... argument.
The -m source argument selects records by the source OS component responsible for posting the event. This argument can be any of the components that appear in the Source column you see when you display the Security log in Event Viewer. So, for example, in the Security log, the source must be one of the following: DS, Local Security Authority (LSA), Network Dynamic Data Exchange (NetDDE) Object, Service Control (SC) Manager, Security, SAM, or Spooler. Dumpel would be more useful if you could specify multiple sources or, alternatively, specify a category such as Logon/Logoff on the command line. However, the version in Microsoft Windows 2000 Server Resource Kit Supplement One accepts one source only, just like the Filter tab in an Event Viewer log's Properties dialog box.
The -e EventID1, EventID2, ... argument selects records that match any of the specified event IDs. You can enter up to 10 event IDs. To effectively screen event records, you need to know exactly what you're looking for, preferably by source and event ID.
For example, the Security component of the OS writes logon failure events. You'll find at least two types of logon-failure event IDs in the Security log: event ID 529 (unknown username or bad password) and event ID 537 (the Netlogon component isn't active). The command
dumpel -s machine1 -l security
-m security -e 529 537 >%temp%\Logfails.txt
extracts all events in the active Security log that match either of the logon failure event IDs. Notice that the event IDs are separated by spaces, not commas. The partial list that Figure 4 shows contains too much information on each line to let you quickly scan the file. In the section "Refining the Output," I show you how to reduce the data line. (For a list of event IDs for failed logons, see Randy Franklin Smith, "Tracking Logon and Logoff Activity in Win2K," February 2001, InstantDoc ID 16430.)
Now, suppose you want to examine logon failure records every day. Simply add the -d 1 argument, which instructs Dumpel to select records that match the source and event IDs that were written for the previous day. If you want to dump events weekly, add the argument -d 7.
This command extracts logon-failure records from four systems, Machine1 through Machine4:
for %i in (machine1, machine2, machine3, machine4) do
dumpel -s %i -l security -m security -e 529 537
>>%temp%\LogFails.txt
The >> redirection operator appends the output of all four Dumpel reports to the file LogFails.txt.
To create a separate output file for each system (i.e., Machine1Logfail.txt or Machine2Logfail.txt), change the output file specification to
%temp%\%iLogFails.txt
To run this command now, replace the names Machine1 through Machine4 with valid computer names on your network.
Reporting on a saved event log. By default, Dumpel examines and extracts records from the active event logs. Alternatively, you can save an active event log as an .evt file and direct the utility to report on the contents of the saved file. When you direct Dumpel to extract records from a saved event-log file, you need two arguments: -b (backup log) tells Dumpel to operate on a backup log file (not the active one), and -l (backup log file name) identifies the pathname of the saved file. The command
dumpel -b -l DoormanSecLog.evt
-m security -e 529 537 >%temp%\LogFails.txt
extracts account and local logon failure records from a saved Security log with the name DoormanSecLog.evt.
Prev. page
1
2
[3]
4
next page 
