Aleks over at http://www.virtualistic.nl has posted a nice article about exporting the Windows eventlogs to a central share on the network via a scheduled job.
Since I reboot my Terminal Servers every day, I’ve made saving the eventlogs a part of my daily reboot script.
First off, download the tools DUMPEVT, LOGEVENT and PSLOGLIST (=optional, you can also use DUMPEVT to clear the logs). These tools will help us save the logfiles, clear the logfiles and tell the eventlog what we’re doing.
My rebootscript is written in kixscript but this is up to you. (use cmd, vbscript or powershell if you know how).
A little chunk of the script looks like this (click).
The following things happen in this example:
1) A directory is created to save the logfiles (YEAR-MONTH-DAY)
2) We then use DUMPEVT to save the System, Application and the Security logs and save that to the location specified in step 1
3) PSLogList is used to clear the eventlogs we saved in step 2
4) Then we use LogEvent to log that we cleared the logs (are u still there?)
If everything went smoothly you should see this list at the fileserver location where the eventlogs have been stored.
I asked Aleks which tool he used for analyzing his evelogs.csv files. He came up with the tool Ultraedit and I must say, it works fantastic but I wanted to see if there where more options. First I wanted to analyze the logfiles with Powershell but this was too heavy for me (at the moment 😉 ). A couple of days ago I saw the tool called BareGrep.exe. This is grep (linux command) with a Windows gui. Baregrep is a single executable, so you don’t have to install anything.
After downloaden BareGrep.exe just double click to start the tool. Select the options you want to use, enter the folder/path and the final step, enter your keyword(s) and press return.
After a couple of seconds, depends on how much logfiles you want to search in. You’ll see the following output in BareGrep:
You can open the specific file with a double click on the line.
Conclusion: you can build a central store for al the eventlogs and analyze these files with different tools. I like BareGrep for this job, because it’s free, a single file, and easy to use.