In a continuation of our theme this month of cost saving yet effective monitoring techniques, we’re going to look at a problem brought to me by a customer in Singapore that we solved with event log monitoring. In our example, the admin spends a lot of time on the phone with users who’ve locked themselves out of their account. Fixing these problems quickly is a priority. In a large, distributed environment managing domain user security issues can be a challenge. Users lock themselves out of their accounts, they log in where they shouldn’t, accounts expire and get disabled, systems shutdown and startup, login services fail, and many more events are recorded in security event logs that can grow to be extremely large. Unfortunately, parsing huge event logs remotely can be both time consuming and resource intensive using standard protocols, like WMI to query for events. Trying to parse the security log with its many thousands of security audits can become impractical when WMI queries start to take from 3 to 20 minutes to complete.

Once again our solution is provided by some cool free stuff, the Windows eventquery.vbs script. Microsoft provides this script on Windows 2003 Server in the system32 directory. The script lets you query the Event Logs much faster than reading through them. It takes several arguments that you can see by running the command, “eventquery /?” from a CMD Prompt. Here are the important ones for our solution:

• S - Server to query
• FO - Format; we use the argument CSV for comma-separated values
• L - Log to query (Security, System, Application, etc.)
• FI - Filter; we filter on DATETIME and ID
  • Other Useful Filters: User, Computer, Source, Type (i.e. Errors)
• V - Verbose

In my testing, searching for particular events using the eventquery vbscript is orders of magnitude faster than using WMI, especially on the biggest security logs. Furthermore, the method doesn’t demand the large IO bandwidth of solutions that download the entire logs. I built a BAT file to take a few arguments and execute the vbscript so that it only gets events in the last 5 minutes. The time threshold is calculated by another vbscript that I borrowed from my colleague Susan.

Here’s what’s in the BAT file:

set Server=%1
set File=%2
set EvtID=%3

FOR /F “tokens=1 delims=;” %%i IN (’cscript //nologo //b E:\scripts\time_threshold.vbs’) DO set TimeThreshold=%%i

EVENTQUERY.vbs /S %Server% /V /FO CSV /L %File% /FI “DATETIME gt %TimeThreshold% AND Id eq %EvtID%”

Here’s the time_threshold Vb script:

Dim MonthStr
Dim DayStr
Dim HrStr
Dim MinStr
Dim SecStr
MonthStr = DatePart(”m”,DateAdd(”n”,-5,Now))
if Len(MonthStr) = 1 then MonthStr= “0″ & MonthStr
DayStr = DatePart(”d”,DateAdd(”n”,-5,Now))
if Len(DayStr) = 1 then DayStr= “0″ & DayStr
HrStr = Hour(DateAdd(”n”,-5,Now))
if HrStr > 12 then HrStr= (HrStr - 12)
if Len(HrStr) = 1 then HrStr= “0″ & HrStr
MinStr = Minute(DateAdd(”n”,-5,Now))
if Len(MinStr) = 1 then MinStr= “0″ & MinStr
SecStr = Second(DateAdd(”n”,-5,Now))
if Len(SecStr) = 1 then SecStr= “0″ & SecStr
wscript.stdout.write(MonthStr & “/” & DayStr & “/” & Right(DatePart(”yyyy”,Date),2) & “,” & HrStr & “:” & MinStr & “:” & SecStr & Right(DateAdd(”n”,-5,Now),2))

This collection method gave us a way to get time-critical information from huge Windows Security Event Logs with very short interval tests every few minutes, instead of every 15 minutes or longer. Now the admin knows before the user calls that somebody is locked out or that a server has rebooted.

TIP - if you want to run .VBS scripts from a BAT file set the default script language using “CSCRIPT //H:CSCRIPT //S”.

As usual, I created a Longitude solution that uses this method. It’s called EventLogQuery. Please send me an email if you’d like a copy.