Consolidate event logs? "Steve Gould" <steve.gould(at)apawood.org> 5/5/2007 4:30:03 AM Here is what I am trying to accomplish. I want to specify a text file to a script that has the names of servers to access. The script will grab all warnings and errors from the app and system logs for a specified time frame, say last 24 hours or something. Then the logs are consolidated in a file by type, "application logs" and "system logs". I don't need to get too deep, just server name, date, time, source, and description. I was looking at dumpel.exe, but it doesn't seem like it will do what I want except for security logs where I'm only looking for audit failures. Can someone point me at a good script source? Thanks much! Steve

Re: Consolidate event logs? "Jeremy" <jeremy[ at ]discussions.microsoft.com> 5/5/2007 12:08:35 PM You might want to check out logparser. It can do exactly this and output the data in a variety of methods, including writing it to an SQL DB http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx "Steve Gould" <steve.gould(at)apawood.org> wrote in message news:%230mCP4sjHHA.568[ at ]TK2MSFTNGP02.phx.gbl... [Quoted Text] > Here is what I am trying to accomplish. > > I want to specify a text file to a script that has the names of servers to > access. The script will grab all warnings and errors from the app and > system logs for a specified time frame, say last 24 hours or something. > Then the logs are consolidated in a file by type, "application logs" and > "system logs". I don't need to get too deep, just server name, date, time, > source, and description. > > I was looking at dumpel.exe, but it doesn't seem like it will do what I > want except for security logs where I'm only looking for audit failures. > > Can someone point me at a good script source? > > Thanks much! > > Steve >

Re: Consolidate event logs? "Steve Gould" <steve.gould(at)apawood.org> 5/6/2007 12:24:18 AM Thank you Jeremy! It has the output processing I needed. Still, I need to process against a number of remote servers and consolidate the output files. I think they will consolidate OK (haven't tried yet), but I don't see a way to use it against remote server logs. At this point I think I could install the utility and scedule it on each server and have them output to a share. It's not perfect, though. I might not get permission to install the utility on each server. I'd rather process from my admin machine. I really need some WMI scripts to pull the logs. I'll keep hunting now that I am much closer. Steve "Jeremy" <jeremy[ at ]discussions.microsoft.com> wrote in message news:D7F8298F-A8E8-4F52-B66D-50A1C5380BED[ at ]microsoft.com... [Quoted Text] > You might want to check out logparser. It can do exactly this and output > the data in a variety of methods, including writing it to an SQL DB > http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx > > "Steve Gould" <steve.gould(at)apawood.org> wrote in message > news:%230mCP4sjHHA.568[ at ]TK2MSFTNGP02.phx.gbl... >> Here is what I am trying to accomplish. >> >> I want to specify a text file to a script that has the names of servers >> to access. The script will grab all warnings and errors from the app and >> system logs for a specified time frame, say last 24 hours or something. >> Then the logs are consolidated in a file by type, "application logs" and >> "system logs". I don't need to get too deep, just server name, date, >> time, source, and description. >> >> I was looking at dumpel.exe, but it doesn't seem like it will do what I >> want except for security logs where I'm only looking for audit failures. >> >> Can someone point me at a good script source? >> >> Thanks much! >> >> Steve >> >

Re: Consolidate event logs? "Jeremy" <jeremy[ at ]discussions.microsoft.com> 5/6/2007 6:03:22 AM Log parser can operate on remote servers, see logparser.exe -h -i:evt One example is Create TSV files containing Event Messages for each Source in the Application Event Log: LogParser "SELECT SourceName, Message INTO myFile_*.tsv FROM \\MYSERVER1\Application, \\MYSERVER2\Application" You could certainly script this from a centralised server using a for loop in a batch file. FOR /F %%a in (servers.txt) do ( log parser commands targeting %%a as the server name ) servers.txt need only contain all the server names. Good luck. Cheers, Jeremy. "Steve Gould" <steve.gould(at)apawood.org> wrote in message news:emuQkT3jHHA.4132[ at ]TK2MSFTNGP05.phx.gbl... [Quoted Text] > Thank you Jeremy! It has the output processing I needed. Still, I need to > process against a number of remote servers and consolidate the output > files. I think they will consolidate OK (haven't tried yet), but I don't > see a way to use it against remote server logs. At this point I think I > could install the utility and scedule it on each server and have them > output to a share. It's not perfect, though. I might not get permission to > install the utility on each server. I'd rather process from my admin > machine. > > I really need some WMI scripts to pull the logs. I'll keep hunting now > that I am much closer. > > Steve > > > "Jeremy" <jeremy[ at ]discussions.microsoft.com> wrote in message > news:D7F8298F-A8E8-4F52-B66D-50A1C5380BED[ at ]microsoft.com... >> You might want to check out logparser. It can do exactly this and output >> the data in a variety of methods, including writing it to an SQL DB >> http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx >> >> "Steve Gould" <steve.gould(at)apawood.org> wrote in message >> news:%230mCP4sjHHA.568[ at ]TK2MSFTNGP02.phx.gbl... >>> Here is what I am trying to accomplish. >>> >>> I want to specify a text file to a script that has the names of servers >>> to access. The script will grab all warnings and errors from the app and >>> system logs for a specified time frame, say last 24 hours or something. >>> Then the logs are consolidated in a file by type, "application logs" and >>> "system logs". I don't need to get too deep, just server name, date, >>> time, source, and description. >>> >>> I was looking at dumpel.exe, but it doesn't seem like it will do what I >>> want except for security logs where I'm only looking for audit failures. >>> >>> Can someone point me at a good script source? >>> >>> Thanks much! >>> >>> Steve >>> >> > >

Re: Consolidate event logs? "Dave Patrick" <DSPatrick[ at ]nospam.gmail.com> 5/6/2007 3:13:47 PM This may help. ----------------------------------------- Dim strConnect, strSQL, yr, m, d, h, min, s, timeobj strConnect = "SQLOLEDB.1;Integrated Security=SSPI; " _ & "Persist Security Info=False; " _ & "Initial Catalog=MyDatabase;Data Source=MyServer" strSQL = "SELECT Category, ComputerName, EventCode, " _ & "Message, EventType, RecordNumber, SourceName, " _ & "Type, User, TimeGenerated, TimeWritten FROM EventTable; " Set objConn = CreateObject("ADODB.Connection") Set objRS = CreateObject("ADODB.Recordset") objConn.Open strConnect objRS.CursorLocation = 3 objRS.Open strSQL, objConn, 3, 3 strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!" _ & "\\" & strComputer & "\root\cimv2") Set colRetrievedEvents = objWMIService.ExecQuery("Select * " _ & "from Win32_NTLogEvent Where logfile = 'System'") For Each objEvent in colRetrievedEvents ' If objEvent.SourceName = "PercRAID.Log" Then objRS.AddNew objRS("Category") = objEvent.Category objRS("ComputerName") = objEvent.ComputerName objRS("EventCode") = objEvent.EventCode objRS("Message") = objEvent.Message objRS("EventType") = objEvent.EventType objRS("RecordNumber") = objEvent.RecordNumber objRS("SourceName") = objEvent.SourceName objRS("Type") = objEvent.Type objRS("User") = objEvent.User objRS("TimeGenerated") = DateTime2String(objEvent.TimeGenerated) objRS("TimeWritten") = DateTime2String(objEvent.TimeWritten) objRS.Update ' End If Next objRS.Close objConn.Close Function DateTime2String(timeobj) yr = Left(timeobj,4) m = Mid(timeobj,5,2) d = Mid(timeobj,7,2) h = Mid(timeobj,9,2) min = Mid(timeobj,11,2) s = Mid(timeobj,13,2) DateTime2String = m & "/" & d & "/" & yr _ & " " & h & ":" & min & ":" & s End Function ----------------------------------------- -- Regards, Dave Patrick ....Please no email replies - reply in newsgroup. Microsoft Certified Professional Microsoft MVP [Windows] http://www.microsoft.com/protect "Steve Gould" wrote: [Quoted Text] > Thank you Jeremy! It has the output processing I needed. Still, I need to > process against a number of remote servers and consolidate the output > files. I think they will consolidate OK (haven't tried yet), but I don't > see a way to use it against remote server logs. At this point I think I > could install the utility and scedule it on each server and have them > output to a share. It's not perfect, though. I might not get permission to > install the utility on each server. I'd rather process from my admin > machine. > > I really need some WMI scripts to pull the logs. I'll keep hunting now > that I am much closer. > > Steve

Re: Consolidate event logs? "Steve Gould" <steve.gould(at)apawood.org> 5/6/2007 11:14:05 PM OK, now I feel dumb. Since I didn't see it documented I assumed you couldn use \\computer\log. Thanks Jeremy. I have everything I need now. I appreciate your help! Steve "Jeremy" <jeremy[ at ]discussions.microsoft.com> wrote in message news:80683729-4E6A-4549-81BE-AB5793080AE1[ at ]microsoft.com... [Quoted Text] > Log parser can operate on remote servers, see logparser.exe -h -i:evt > > One example is > Create TSV files containing Event Messages for each Source in the > Application Event Log: > > LogParser "SELECT SourceName, Message INTO myFile_*.tsv FROM > \\MYSERVER1\Application, \\MYSERVER2\Application" > > You could certainly script this from a centralised server using a for loop > in a batch file. > > FOR /F %%a in (servers.txt) do ( > log parser commands targeting %%a as the server name > ) > > servers.txt need only contain all the server names. > > Good luck. > > Cheers, > Jeremy. > > "Steve Gould" <steve.gould(at)apawood.org> wrote in message > news:emuQkT3jHHA.4132[ at ]TK2MSFTNGP05.phx.gbl... >> Thank you Jeremy! It has the output processing I needed. Still, I need to >> process against a number of remote servers and consolidate the output >> files. I think they will consolidate OK (haven't tried yet), but I don't >> see a way to use it against remote server logs. At this point I think I >> could install the utility and scedule it on each server and have them >> output to a share. It's not perfect, though. I might not get permission >> to install the utility on each server. I'd rather process from my admin >> machine. >> >> I really need some WMI scripts to pull the logs. I'll keep hunting now >> that I am much closer. >> >> Steve >> >> >> "Jeremy" <jeremy[ at ]discussions.microsoft.com> wrote in message >> news:D7F8298F-A8E8-4F52-B66D-50A1C5380BED[ at ]microsoft.com... >>> You might want to check out logparser. It can do exactly this and >>> output the data in a variety of methods, including writing it to an SQL >>> DB >>> http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx >>> >>> "Steve Gould" <steve.gould(at)apawood.org> wrote in message >>> news:%230mCP4sjHHA.568[ at ]TK2MSFTNGP02.phx.gbl... >>>> Here is what I am trying to accomplish. >>>> >>>> I want to specify a text file to a script that has the names of servers >>>> to access. The script will grab all warnings and errors from the app >>>> and system logs for a specified time frame, say last 24 hours or >>>> something. Then the logs are consolidated in a file by type, >>>> "application logs" and "system logs". I don't need to get too deep, >>>> just server name, date, time, source, and description. >>>> >>>> I was looking at dumpel.exe, but it doesn't seem like it will do what I >>>> want except for security logs where I'm only looking for audit >>>> failures. >>>> >>>> Can someone point me at a good script source? >>>> >>>> Thanks much! >>>> >>>> Steve >>>> >>> >> >> >