Tools For Managing the Windows Eventlog
Last Updated: 20 Nov 2005
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*** PLEASE NOTE: Link(s), If Provided, May Be Wrapped ***
Here are some tools for managing, consolidating and
reporting on Windows NT/2000/XP/2003 Event Logs:
MICROSOFT
• DumpEl ................. Resource Kit
• ELogDmp ................ Resource Kit -- Win2K
• LogEvent ............... Resource Kit
• LogParser .............. Resource Kit -- IIS6
• EventCombMT ............ Resource Kit -- Server 2003
............ http://www.microsoft.com/downloads/details.aspx?FamilyID=9964CF42-E236-4D73-AEF4-7B4FDC0A25F6&displaylang=en
FREEWARE
• AlertNet! .............. http://home.new.rr.com/edev/AlertNet/
• DumpEvt ................ http://www.somarsoft.com/
• EventLog Analyzer ...... http://manageengine.adventnet.com/products/eventlog/
• EventSave .............. http://www.heysoft.de/
• Jespers NT Tools ....... http://www.ibt.ku.dk/jesper/NTtools/
• PsLogList .............. http://www.sysinternals.com/ntw2k/freeware/pstools.shtml
• AINTX Utilities ........ http://www.dwam.net/docs/aintx/
COMMERCIAL
• adTempus ............... http://www.arcanadev.com/adtempus/
• Aelita InTrust ......... http://www.aelita.com/products/intrust/
• Argent Guardian ........ http://www.argent.com/
• ELM Enterprise Manager . http://www.tntsoftware.com/
• Emco EventLog Audit .... http://www.emco.is/
• Event Analyst .......... http://www.doriansoft.com/eventanalyst/
• Event Archiver ......... http://www.doriansoft.com/eventarchiver/
• Event Log Monitor ...... http://www.lanware.net/
• Event Reader ........... http://www.eventid.net/eventreader/
• Event Reporter ......... http://www.eventreporter.com/en/
• Event Sentry ........... http://www.eventsentry.com/
• EventLog Analyzer ...... http://manageengine.adventnet.com/products/eventlog/
• GFI LanGuard S.E.L.M. .. http://www.gfi.com/lanselm/
• Logcaster .............. http://www.rippletech.com/
• NTManage ............... http://www.lanware.net/
• Opalis Robot............ http://www.opalis.com/
• Somix Logalot .......... http://www.somix.com/products/logalot.php
• Special Op Suite ....... http://www.specialoperationssuite.com/
• WDumpEvt ............... http://www.eventlog.com/
EVENTLOG to SYSLOG Utilities
• BackLogNT .............. http://www.intersectalliance.com/projects/BackLogNT/
• EventLog 2 SysLog ...... https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/
• NT-SysLog .............. http://ntsyslog.sourceforge.net/
• Snare .................. http://www.intersectalliance.com/projects/SnareWindows/
USING EVENTCOMBMT
EventCombMT is a cool Microsoft utility which can search
for a specific Event ID across multiple Eventlogs. It is
available in the Server 2003 Resource Kit or as a separate
download.
• http://www.microsoft.com/technet/security/prodtech/windows/secwin2k/09detect.asp
• http://www.microsoft.com/downloads/details.aspx?FamilyID=9964CF42-E236-4D73-AEF4-7B4FDC0A25F6&displaylang=en
• http://www.secadministrator.com/Articles/Index.cfm?ArticleID=37450
BUILD YOUR OWN EVENTLOG MONITORING CONSOLE
Another option to purchasing and deploying any of the
EventLog monitoring tools listed above, is to deploy
your own using free tools plus a SysLog server.
Choose one of the EventLog-to-SysLog utilities and
install it on your servers and/or workstations. Next,
choose a SysLog server and deploy that centrally. You
can configure the alerts via the Syslog server, so that
you are immediately notified of critical errors, and the
logs can be kept around for longer term searches.
This approach works well for many environments of various
sizes, and will make it easier for you to evaluate the
effectiveness of 3rd party monitoring tools.
• http://www.netadmintools.com/art284.html
• http://www.netadmintools.com/art127.html
You can also send EventLogs to an RSS feed:
• http://www.rassoc.com/gregr/weblog/archive.aspx?post=570
DEALING WITH CORRUPTED EVENTLOGS
• http://support.microsoft.com/?KBID=829246
WHITEPAPERS & TECH DOCUMENTS
• http://www.windowsnetworking.com/articles_tutorials/Monitoring-Troubleshooting-Event-Logs.html
• http://windows2000.about.com/compute/windows2000/library/weekly/aa032899.htm
• http://windows2000.about.com/compute/windows2000/library/weekly/aa000618b.htm
• http://www.eventid.net/
• http://www.microsoft.com/technet/support/ee/ee_advanced.aspx
• http://www.computerperformance.co.uk/event_viewer.htm
PERSONAL NOTES
• Your first stop for debugging EventLog errors should
be: http://www.eventid.net/
• One of the first things I do after setting up NT/2000
is to configure the EventLog to a decent size (8192KB)
and set the logs to "Overwrite As Needed".
• You can use NTSYSLOG to output your EventLogs from
multiple servers to a single SysLog server. This is
far less expensive than many of the tools listed above,
and can afford your more flexibility with reporting
and correlation. Has some issues getting logs from
Windows 2003 servers.
• EventCombMT is a cool tool from Microsoft for searching
for a specific Event ID across multiple systems.
• "EventLog-to-Syslog" is very easy to setup, and while
not quite as flexible as NTSYSLOG (as far as the kind of
events that will be monitored), it is less resource
intensive, and works properly with Windows 2003 Server
(and earlier).
RELATED SCRIPTS (ALSO IN THIS ARCHIVE)
These scripts will configure the EventLog (among other
things) for overwriting:
• http://KB.UltraTech-llc.com/Scripts/?File=EventLog.KIX
• http://KB.UltraTech-llc.com/Scripts/?File=SystemOptions.KIX
• http://KB.UltraTech-llc.com/Scripts/?File=SystemOptions.VBS
• http://KB.UltraTech-llc.com/Scripts/?File=GetInfo.BAT
• http://KB.UltraTech-llc.com/Scripts/?File=SaveLogs.BAT
• http://KB.UltraTech-llc.com/Scripts/?File=SaveLogs-B.BAT
• http://KB.UltraTech-llc.com/Scripts/?File=Logon.BAT
• http://KB.UltraTech-llc.com/Scripts/?File=Install-EvtSys.BAT
• http://KB.UltraTech-llc.com/Scripts/?File=Install-Snare.BAT
RELATED TOPICS (ALSO IN THIS ARCHIVE)
• http://KB.UltraTech-llc.com/?File=SysLog.TXT
• http://KB.UltraTech-llc.com/?File=Monitoring.TXT
• http://KB.UltraTech-llc.com/?File=Scripting.TXT
• http://KB.UltraTech-llc.com/?File=ResKit.TXT
• http://KB.UltraTech-llc.com/?File=ToolKit.TXT
• http://KB.UltraTech-llc.com/?File=Utils.TXT