I recently had a service account that was locking out on one of my servers and I couldn’t figure out which one. I didn’t want to spend a lot of time looking through the event logs of all 14 of my servers, which would be a tedious and time consuming job. I needed a way to filter what I wanted from the log files and easily find what I needed. To do this I used a free program called EventCombMT and will give you a quick rundown of how to use the program.
First you will want to get the EventCombMT program, it comes bundled with some other tools and you can get it here. After you are done downloading the ALtools.exe you can run the program, it will ask you to accept the license agreement and then ask you where to place the files. I just put mine in a folder on my desktop; you can put the files where ever you choose. Once the files are extracted just go to the folder you saved them in and double click EventCombMT.exe
The interface is a little overwhelming if you aren’t familiar with log files at all. First thing you will want to do is enter the server or servers you want to search through. To do this right click in the Select to search window and choose the option that suits your needs. I choose the add servers from a file and found my text file that had all my servers in it, but most people will want to add servers individually by clicking ‘add a single server’.
Once you have all your servers added then we will need to select the logs we want to search and the types of events. To do this simply check the box next to whatever logs you want searched. I will choose Security only since I know my event I want to find is in security. If you choose more than one log to search don’t worry it will create a text file for each different log you search, it doesn’t just throw them all together. If you choose System and Security then you will have two text files one with the name(servername/security ) and one with (servername/System).
Next you will select the event types, for my search I want Failure Audits, because I know that my password locking out is a password failure. You can select one or all of these; whatever suits your needs. Next you have the choice to put in specific event IDs or search for events that fall between two ID numbers. If you know the exact event ID it’s a good idea to put it in so you can filter out as much of the unneeded logs as possible.
Another good way to filter out unwanted logs is to enter a term in the Text option; this will search through the logs for matching text in each log, so in my case I added the word Unknown. Since I want all Security failure audits that will for sure have the text Unknown in it, this will help me limit the results and find the logs I want. Last thing to set is the Scan Back settings, I choose 5 days just so I would find all the results for the week so I could report on them. You can really pick and choose all the settings that will best help you find what you need. There is no wrong way to do a search, you just have to find what works best for you and helps you to eliminate all the junk you don’t really need.
Now that all your settings are picked you just have to hit Search, this could take some time depending on the size of your log files, the amount of event types and log files you are searching, and the number of time back you are looking. I did 14 servers, 1 log file type, 1 event type, and 5 days back and it took about 10 minutes before my results were compiled.
This brings us to the results, which I have to say aren’t displayed in the best manner but it works, you get the results in a text file. The program will open a folder displaying all your results with the naming convention of (servername-Logfiletype_LOG.txt). You have to open each one and look through your results. I find it easiest to use the find next search and type in what I want in each text file to get to my results the quickest. It’s up to you to find what you really need; EventCombMT has just removed all the excess junk that you could have spent hours sifting through. Now you have much more focused results that can be managed much easier.
I have posted two images, one is my EventCombMT program with my options selected and the other is the folder displaying the text files it created.