I was looking for a tool that can help me search Event Log’s on the number of servers for particular event. My first thought was to do an “exercise” by writing python script, when a colleague of mine sent me a link to Microsoft article How to use the EventCombMT utility to search event logs for account lockouts. EventCombMT is part of the “Account Lockout and Management Tools” but it can be used for generic log event searches. After downloading the pack and starting the EventCombMT, my first impression was that this will not suite my need as it’s a GUI and I would prefer a command line version of the tool. Hopefully, I checked the Help before dumping the tool, where I found out that we can easily use the tool from the command line as well.

Let’s see EventCombMT in action:

We want to search Oracle server (ORASERVER1) Event log for critical error that indicates that Fibre Channel path connected to our SAN is down. I’m searching for Event 5 with the text similar to this one: “Path1 removed from multipath device nn by MPIO”.

cmd> EventCombMT /s:oraserver1  /evt:"5" /et:we /log:sys /outdir:"C:\temp" /t:1 /after:01152008120000 /before:02122008120000 /start

The entire line must be executed as a single cmd line!

Short explanation of the switches:

• server /s (we can specify file with the server names instead)
• we’re searching for event #5 (/evt:”5″) that is associated with the error, such as:
  sdddsm “Path1 removed from multipath device nn by MPIO”
• we’re interesting in two event types; Warning or Error (/et:we)
• we want to limit the search to System part of the event log (/log:sys)
• how many threads should EventCombMT use for the search (/t:1)
• time interval for the search (/after, /before) in the format MMDDYYYYHHMMSS (this format is mandatory)
• we want to execute the search from the command line (/start)

The command will produce two files, the first one is called EventCombMT.txt and it’ll look something like this:

Find Events After: Tue Jan 15 12:00:00 2008 
Find Events Before: Tue Feb 12 12:00:00 2008 
Searching System Logs
Event IDs:   5
No Event Text specified.
No Event Source specified.
No Between Event IDs specified.
Will Search the following servers:
oraserver1
To find these events we'll need a search running. It has already begun....
 
Spawning Thread for: oraserver1
Thread Running for: oraserver1
Opening: C:\temp\oraserver1-System_LOG.txt
Number Of Records for the System log on oraserver1 is 1248
Total Bytes Read ending with the System log on oraserver1: 189124
C:\temp\oraserver1-System_LOG.txt contains 22 parsed events.
Exiting thread for: oraserver1
All threads Scheduled to run are running.
Total events searched: 1248
Total matches found: 22
Servers/Logs Searched: 1
DLL Cache Contained: 0
SID Cache Contained: 0
Start time: Tue Feb 12 16:12:51 2008 
Finish time: Tue Feb 12 16:12:51 2008 
True records per second: 1248.00

and the second file oraserver1-System_LOG.txt that will contain events that were found in the system log:

5,WARNING,sdddsm,Sat Jan 19 18:57:41 2008,No User,  1 13 
5,WARNING,sdddsm,Sat Jan 19 18:57:41 2008,No User,  1 12 
5,WARNING,sdddsm,Sat Jan 19 18:57:41 2008,No User,  1 11 
5,WARNING,sdddsm,Sat Jan 19 18:57:41 2008,No User,  1 10 
5,WARNING,sdddsm,Sat Jan 19 18:57:41 2008,No User,  1 9 
5,WARNING,sdddsm,Sat Jan 19 18:57:41 2008,No User,  1 8 
5,WARNING,sdddsm,Sat Jan 19 18:57:41 2008,No User,  1 7 
5,WARNING,sdddsm,Sat Jan 19 18:57:41 2008,No User,  1 6 
5,WARNING,sdddsm,Sat Jan 19 18:57:41 2008,No User,  1 5 
5,WARNING,sdddsm,Sat Jan 19 18:57:41 2008,No User,  1 4 
5,WARNING,sdddsm,Sat Jan 19 18:57:41 2008,No User,  1 3 
5,WARNING,sdddsm,Sat Jan 19 18:57:41 2008,No User,  1 2 
5,WARNING,sdddsm,Sat Jan 19 18:57:41 2008,No User,  1 1 
5,WARNING,sdddsm,Sat Jan 19 18:57:41 2008,No User,  1 0 
5,WARNING,sdddsm,Fri Jan 18 16:25:52 2008,No User,  1 13 
5,WARNING,sdddsm,Fri Jan 18 16:25:52 2008,No User,  1 12 
5,WARNING,sdddsm,Fri Jan 18 16:25:51 2008,No User,  1 11 
5,WARNING,sdddsm,Fri Jan 18 16:25:51 2008,No User,  1 10 
5,WARNING,sdddsm,Fri Jan 18 16:25:51 2008,No User,  0 13 
5,WARNING,sdddsm,Fri Jan 18 16:25:51 2008,No User,  0 12 
5,WARNING,sdddsm,Fri Jan 18 16:25:50 2008,No User,  0 11 
5,WARNING,sdddsm,Fri Jan 18 16:25:50 2008,No User,  0 10 
C:\temp\oraserver1-System_LOG.txt contains 22 parsed events.

At this point I can write a simple script (with python, of course;-) that’ll check for a presence of certain event in the logfile and send SMS alert to my friendly Motorola Tamagotchi.