After going for TechED SEA 2007 – I renewed my spirit to continue my higher pursuits of command line excellence. As my collegues would acknowledge, I am kind stumbled upon it since I was interested in automation of big enterprise level environments. As my managers infamous saying would go ” Think how to do it for 50 servers …”. Yea right.. it’s easy for him to say.. 🙂
So I gave myself some thought and thought to myself, why not publish every command line function that windows servers in particular and not restricted to, for the audience of the internet. This would also include some scripts that I wrote for my company and team to use in their daily job scope.
Sooooo, for today, I am going to start with eventquery.vbs. This script is an in-built script that Microsoft provided for us to query the multi-mbyte event logs in a very intuitive way. And you could format, filter and write a short logic to find any event IDs that you may want to check in all the existing logs in the computer. And for the best part is that the script can be fired at anywhere from the command prompt. For e.g.:
EVENTQUERY.vbs /r 3 /fi “id eq 0” /fo csv – fires the script and checked for all the existing event logs (security, application and system) for ID zero, for the last 3 days and output the format in csv for later massaging. Now thats cool. And you know whats better, if you can write a simple FOR loop, you can actually write a batch command to loop this command for the servers you have in a list. For example:
for /F %%i in (serverlist.txt) do (
echo Processing %%i…
eventquery.vbs /s “%%i” /r 3 /fi “id eq ‘whatever your ID code you are filtering against’ ” /fo csv
*remove the ‘quote’
Save this file as bat123.bat and have your servers you wish to query in another list called serverlist.txt and fire away. Make sure you have administrative access to all your machines that you are querying against. Another simple tool that winternals (now known as sysinternals after being acquired by MS) that has the same feature would be psloglist.exe tool. Although I know we can run these programs from a remote jump box or sandbox, our environment in our company doesn’t allow any tools be installed without any prior approvals from the security team. So we might not want to use that although it has a lot of functions as it can also aggregate events that were hours/minutes before rather than days before. Play around some and you will be suprise what more you can actually get out from this small but nice tool.
That’s all for now, if you like what you see, please give me some feedback, if you want more information, you can comment about it and let me know. If you don’t like it, do comment as well, to let me know if you like the methods that I have lead this blog with. Thank you till next tomorrow. Please wait as I compile more TechED stuff for your viewing pleasure. Adios!