Re: Locating and listing event IDs

2009-03-09 Thread James Rankin 
I tend to rely on SCOM to point me at issues occurring in the event
logs...don't have to parse them manually any moer

2009/3/6 MarvinC 

> Correct but my goal is to compile a list of events across a particular set
> of servers to help in establishing a "pattern" for recurring issues. So say
> I have a cluster of servers that are experiencing high CPU issues and I need
> to know what event ID's were common on those servers. This gives me
> something I can compare side by side and keeps me from having to scan
> through each server's log.
>
>
>
> On Fri, Mar 6, 2009 at 9:54 AM, Michael B. Smith <
> mich...@theessentialexchange.com> wrote:
>
>>  Logparser and “select unique”.  Or something of the same nature.
>>
>>
>>
>> I aggregate my logs, but I do so differently…looking at a single instance
>> doesn’t necessary tell you of the severity of a situation.
>>
>>
>>
>> *From:* MarvinC [mailto:marv...@gmail.com]
>> *Sent:* Friday, March 06, 2009 9:45 AM
>> *To:* NT System Admin Issues
>> *Subject:* Locating and listing event IDs
>>
>>
>>
>> Anyone have a script or method for listing event IDs? With any server
>> you're gonna have a slew of events well what I want to do is list the single
>> instance of each event. So lets say I have 400 warning for event ID: 9646,
>> several for event ID: 333, 50 for event ID: 1023. Well I would want to grab
>> the following:
>>
>>
>>
>> Type   Date Time  Source  Category  Event
>> User  Computer
>> Error   1/1/2009   12:00 Crypt32  None   8
>> N/A   Server1
>>
>> Error   2/1/2008   1:00   EXCDO General8199
>> N/A   Server2
>>
>>
>>
>> So instead of seeing multiple instances of the alerts I only see the
>> single instance.
>>
>>
>>
>> Any responses appreciated.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Locating and listing event IDs

2009-03-06 Thread Michael B. Smith 
You  can roll your own, and I've done so in a previous life, but you are
starting to talk about the point at where 3rd party software makes sense.

 

EventTracker does this. ACS does this. I'm sure Tivoli/OpenMange/etc. all
have ways of doing this.

 

From: MarvinC [mailto:marv...@gmail.com] 
Sent: Friday, March 06, 2009 11:47 AM
To: NT System Admin Issues
Subject: Re: Locating and listing event IDs

 

Correct but my goal is to compile a list of events across a particular set
of servers to help in establishing a "pattern" for recurring issues. So say
I have a cluster of servers that are experiencing high CPU issues and I need
to know what event ID's were common on those servers. This gives me
something I can compare side by side and keeps me from having to scan
through each server's log.



 

On Fri, Mar 6, 2009 at 9:54 AM, Michael B. Smith
 wrote:

Logparser and "select unique".  Or something of the same nature.

 

I aggregate my logs, but I do so differently.looking at a single instance
doesn't necessary tell you of the severity of a situation.

 

From: MarvinC [mailto:marv...@gmail.com] 
Sent: Friday, March 06, 2009 9:45 AM
To: NT System Admin Issues
Subject: Locating and listing event IDs

 

Anyone have a script or method for listing event IDs? With any server you're
gonna have a slew of events well what I want to do is list the single
instance of each event. So lets say I have 400 warning for event ID: 9646,
several for event ID: 333, 50 for event ID: 1023. Well I would want to grab
the following: 

 

Type   Date Time  Source  Category  Event   User
Computer
Error   1/1/2009   12:00 Crypt32  None   8
N/A   Server1

Error   2/1/2008   1:00   EXCDO General8199N/A
Server2

 

So instead of seeing multiple instances of the alerts I only see the single
instance. 

 

Any responses appreciated.

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Locating and listing event IDs

2009-03-06 Thread MarvinC 
Correct but my goal is to compile a list of events across a particular set
of servers to help in establishing a "pattern" for recurring issues. So say
I have a cluster of servers that are experiencing high CPU issues and I need
to know what event ID's were common on those servers. This gives me
something I can compare side by side and keeps me from having to scan
through each server's log.



On Fri, Mar 6, 2009 at 9:54 AM, Michael B. Smith <
mich...@theessentialexchange.com> wrote:

>  Logparser and “select unique”.  Or something of the same nature.
>
>
>
> I aggregate my logs, but I do so differently…looking at a single instance
> doesn’t necessary tell you of the severity of a situation.
>
>
>
> *From:* MarvinC [mailto:marv...@gmail.com]
> *Sent:* Friday, March 06, 2009 9:45 AM
> *To:* NT System Admin Issues
> *Subject:* Locating and listing event IDs
>
>
>
> Anyone have a script or method for listing event IDs? With any server
> you're gonna have a slew of events well what I want to do is list the single
> instance of each event. So lets say I have 400 warning for event ID: 9646,
> several for event ID: 333, 50 for event ID: 1023. Well I would want to grab
> the following:
>
>
>
> Type   Date Time  Source  Category  Event
> User  Computer
> Error   1/1/2009   12:00 Crypt32  None   8
> N/A   Server1
>
> Error   2/1/2008   1:00   EXCDO General8199
> N/A   Server2
>
>
>
> So instead of seeing multiple instances of the alerts I only see the single
> instance.
>
>
>
> Any responses appreciated.
>
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Locating and listing event IDs

2009-03-06 Thread Troy Meyer 
I agree with Michael's response based on usefulness, but depending on your 
scripting ability, you can do something like this in Powershell or VB.  This 
sounds very similar to a custom report for an SMTP connector I wrote a while 
back; it looks for a single instance (user sending/receiving) and then 
tabulates data for that user.  I imagine the same logic would apply to what you 
are trying to do with event logs. 

Basically you create a custom object that includes all the information you want 
along with an index number attribute and for each item you process you search 
the custom object list and return the index if it exists or null if it doesn't. 
 Then you either add the data to the existing object at the returned index or 
create a new object.

Good luck, I am curious if you are using this simply for audits or for actual 
routine log analysis.

-troy

-Original Message-
From: MarvinC [mailto:marv...@gmail.com] 
Sent: Friday, March 06, 2009 6:45 AM
To: NT System Admin Issues
Subject: Locating and listing event IDs

Anyone have a script or method for listing event IDs? With any server you're 
gonna have a slew of events well what I want to do is list the single instance 
of each event. So lets say I have 400 warning for event ID: 9646, several for 
event ID: 333, 50 for event ID: 1023. Well I would want to grab the following: 
 
Type   Date Time  Source  Category  Event   User
  Computer
Error   1/1/2009   12:00 Crypt32  None   8 N/A  
 Server1
Error   2/1/2008   1:00   EXCDO General8199N/A  
 Server2
 
So instead of seeing multiple instances of the alerts I only see the single 
instance. 
 
Any responses appreciated.

 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Locating and listing event IDs

2009-03-06 Thread Michael B. Smith 
Logparser and "select unique".  Or something of the same nature.

 

I aggregate my logs, but I do so differently.looking at a single instance
doesn't necessary tell you of the severity of a situation.

 

From: MarvinC [mailto:marv...@gmail.com] 
Sent: Friday, March 06, 2009 9:45 AM
To: NT System Admin Issues
Subject: Locating and listing event IDs

 

Anyone have a script or method for listing event IDs? With any server you're
gonna have a slew of events well what I want to do is list the single
instance of each event. So lets say I have 400 warning for event ID: 9646,
several for event ID: 333, 50 for event ID: 1023. Well I would want to grab
the following: 

 

Type   Date Time  Source  Category  Event   User
Computer
Error   1/1/2009   12:00 Crypt32  None   8
N/A   Server1

Error   2/1/2008   1:00   EXCDO General8199N/A
Server2

 

So instead of seeing multiple instances of the alerts I only see the single
instance. 

 

Any responses appreciated.

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~