A good tool called EventCombMT.exe in the Windows Server 2003 Resource Kit or Account Lockout and Management Tools may help network administrators to export specific kinds of event logs to a single text file.
Log files may be overwritten and need to be backed up, and the powerful tools such as MOM 2005 are too expensive for smallbusinesses. EventCombMT.exe acts as a simple free tool to help administrators in small businesses to export their specific event logs to a central location in a text file.
Let’s start EventCombMT.exe, its main interface is shown in Figure 1. If we are not in a domain environment, it may pops up a dialog box mentions it cannot find the domain controller.
Figure 1
Right click on “Select To Search / Right Click To Add“ box, then select “Add Single Server“ (Figure 2). We can also add other kinds of servers. In this case, we use single server for an example.
Figure 2
Enter the server name or click “Browse“ to browse the server list. Then click “Add Server“ (Figure 3).
Figure 3
Then let’s choose the types of log files to search. For example, system logs, as shown in Figure 4.
Figure 4
Then we need to choose the event types, like warnings, errors, etc. (Figure 5).
Figure 5
We should also input a range of event IDs it will search in. For example, to search events from ID 1 to 800. Figure 6 shows that.
Figure 6
We could also select a specific event sourse. Then let’s click “Search”, it will generate a log file and export the logs meet our requirements to another text file. Figure 7 shows this.
Figure 7
Figure 8 and Figure 9 show the information included in the text files.
Figure 8
Figure 9
Hi, I would like to have the EventCombMT run from task scheduler automatically…is this possible? In specific, to have it start and run a search on a timed schedule and create regular log files that can be searched. I can’t find any documentation for switches that can be used to specify having it run a specific search automatically. Do you know of a way? Thanks! Roger
I think we all have the same problem…how to automate eventcombmt ?
Switches are case sensitive!!! they must be all lowercase.
Load a Saved Search
To load a search that you previously saved use:
/load:
NOTE: if /load is specified no other parameters are parsed, except for /start.
DCs
To add all DCs in your domain to the list of servers to search use:
/dc
To add DCs from another domain use:
/dc:
Example: /dc:redmond
Servers (from file)
To add servers from a text file use:
/file:
Example: /file:”C:\program files\reskit\server.txt”
Servers (from command line)
To add server from the command line use:
/s:
Events
To specify events to search for use:
/evt:”string of events”
Example: /evt:”644 528 639″
Event Types
To specify the types of events to collect use:
/et:weisafasu
OR
/et:all
The different types are:
w – Warning
e – Error
i – Informational
sa – Success Audit
fa – Failure Audit
su – Success
Use all to search for all types
Event Logs
To specify event logs types use:
/log:sysappsecdsfrsdns
OR
/log:all
The log types are:
sys = System
app = Application
sec = Security
ds = Directory Services
frs = FRS
dns = DNS
Output Directory:
To specify the output directory use:
/outdir:”path to where output files should be written”
example: /outdir:”c:\program files\reskit\”
NOTE: Do not specify a filename. The path should include the trailing ‘\’.
Threads
To specify the number of threads use:
/t:
NOTE: The default is 25.
Event Source
To specify the Event Source use:
/Source:”Source of event message”
Example: /source:netlogon
NOTE: When using the GUI the list of sources is pulled from the registry. When populated from the command line there is no validation checking. You could choose a source and a log/event combination that is not possible.
Event Text
To specify the text that needs to be in the event use:
/text:”text to match”
NOTE: Only use quotes for CMD.EXE’s argument parsing. Do not include quotes, or logical expressions (AND, NOT, OR) in your search criteria, unless you are actually searching for that phrase. The search is case insensitive.
Date Range
To specify the date range use:
/after: to set the starting point for events
/before: to set the ending point for events.
NOTE: Both parameters take a date in the form of MMDDYYYYHHMMSS, or Month, Day, Year, Hour, Minute, Second. The time/date format needs to be exactly 14 characters. It cannot be a year before 1980 or after 2035. Both parameters must be used together.
Example: /after:05012002123000 /before:05052002123000
This resolves to:
Find Events After: Wed May 01 12:30:00 2002
Find Events Before: Sun May 05 12:30:00 2002
All Events
To override /text, /source, /time, /unit and /evt use:
/getallevents.
This is useful when you want to dump an entire event log to a text file.
These commands are only used when searching from the command line.
/nologfile use this to skip creating a log file. This might be useful if you are parsing all the text files that were created and wanted to skip EventCombMT.txt
/start Use /start to automatically start searching.
NOTE: Using /start will cause MessageBoxes to be thrown in the event of errors with parameters. If your parameters are incorrect and you are not using /start, the GUI should catch any problems when you click Search.
/help Using /help (/? or ?) shows this page.
I know the post is not recent, but who knows, maybe someone will see my question:
I want to run the following command:
eventcombMT.exe /load:mysearch /file:srv.txt /after:02252009090000 /before:02252009094000 /nologfile /start
If I don’t use the switch /start, the gui comes up with all the good settings and I can click “Start” straight away and run the search. No error comes up.
But if I use the /start switch, I am getting: “No servers or logs to search”.
Someone had the same problem or could see a way to workaround?
Gents,
I’ve runned into issues with the /after and /before switch.
It always errors out with “Argument /after was not recognized”.
The switches are all in lower case and they are in the 14 character format as stated in the above reply.
Any help would be appreciated!
How can I use saved .evt file from a directory?
I need a switch for the command line!
Good Day!!! msmvps.com is one of the best resourceful websites of its kind. I take advantage of reading it every day. I will be back.
The tool can alter its config in registry such that it won’t work in future, it will just terminate (with some message “no data found” or similar), for that reason I now have a step to clean up any corruption with a “regedit.exe /s” step on:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\EventCombMT]
“Output Directory”=-
Hope that helps someone 🙂
For those wanting to automate EventCombMT, this article shows how to do it:
http://www.windowsitpro.com/article/auditing/collecting-and-analyzing-event-and-system-logs.aspx
My problem with this software though is that it doesn’t let you search custom event logs, which basically makes it useless for me. It’s a shame, since this would have been a useful little tool otherwise.
Hi All,
When I try using eventcombmt.exe from command line I was received error like others. “No events types to search for” In my case problem was because I was use exe file from resource kit 2003. When I was used eventcombmt from ALTools I was almost normally use command line. Almost therefore parametr /start not working with parametr /load:myNameSavedQuery /start 🙁
EventcombMT from ALTools is bigger almost 800KB, from resource kit 150KB (differecnes is also in help)
Hello! ekdfdke interesting ekdfdke site! I’m really like it! Very, very ekdfdke good!
Hello! degdeba interesting degdeba site! I’m really like it! Very, very degdeba good!
Hello! gbdeekf interesting gbdeekf site! I’m really like it! Very, very gbdeekf good!
This is a good starter on the valuble tool. It gives me all kinds of ideas for its uses.
Thank you
Does anyone know how to specify that EventCombMT should output to a database using command line options?